Namespace Operator Project API¶
Packages¶
project.tcs.trifork.com/v1alpha1¶
Package v1alpha1 contains API Schema definitions for the project v1alpha1 API group
Resource Types¶
- BootstrapConfig
- BootstrapConfigList
- NamespaceConfig
- NamespaceConfigList
- ProjectBootstrap
- ProjectBootstrapList
BootstrapConfig¶
BootstrapConfig is the Schema for the bootstrapconfigs API
Appears in: - BootstrapConfigList
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
project.tcs.trifork.com/v1alpha1 |
||
kind string |
BootstrapConfig |
||
kind string |
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
||
apiVersion string |
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec BootstrapConfigSpec |
|||
status BootstrapConfigStatus |
BootstrapConfigAzureDevOps¶
Appears in: - BootstrapConfigGit
| Field | Description | Default | Validation |
|---|---|---|---|
secretRef string |
Reference to secrets containing Azure Devops PAT with access "Code (Read, write & manage)". | ||
organization string |
Azure DevOps organization | ||
project string |
Azure DevOps project |
BootstrapConfigBitbucket¶
Appears in: - BootstrapConfigGit
| Field | Description | Default | Validation |
|---|---|---|---|
secretRef string |
Reference to secrets containing Bitbucket username/password (could be API token as password) | ||
baseUrl string |
Base url of Bitbucket server | ||
projectKey string |
ProjectKey identifying the Bitbucket project containing namespace repositories |
BootstrapConfigGit¶
One and exactly one of github and gitlab must be present
Appears in: - BootstrapConfigSpec
| Field | Description | Default | Validation |
|---|---|---|---|
github BootstrapConfigGithub |
Defining Github based git integration | ||
gitlab BootstrapConfigGitlab |
Defining Gitlab based git integration | ||
bitbucket BootstrapConfigBitbucket |
Defining Bitbucket based git integration | ||
azuredevops BootstrapConfigAzureDevOps |
Defining AzureDevOps based git integration |
BootstrapConfigGithub¶
Appears in: - BootstrapConfigGit
| Field | Description | Default | Validation |
|---|---|---|---|
template BootstrapConfigGithubTemplate |
Properties creating new repository from template | ||
secretRef string |
Reference to secrets containing either credentials for Github App authentication or username/token. Auth method will be chosen based on contents of the secret. | ||
owner string |
Organization or user which owns the Github repositories for namespaces. Will become required! |
BootstrapConfigGithubTemplate¶
Appears in: - BootstrapConfigGithub
| Field | Description | Default | Validation |
|---|---|---|---|
owner string |
Deprecated: Use owner in github structure | ||
repo string |
Name of template repository | ||
adminTeam string |
Github SLUG for team that should be registered as admin on repository |
BootstrapConfigGitlab¶
Appears in: - BootstrapConfigGit
| Field | Description | Default | Validation |
|---|---|---|---|
secretRef string |
Reference to secrets containing Gitlab API token | ||
namespacePath string |
Gitlab Namespace path identifying namespace of new repositories | ||
baseUrl string |
Base url of Gitlab default to Gitlab cloud API (https://gitlab.com/) |
BootstrapConfigList¶
BootstrapConfigList contains a list of BootstrapConfig
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
project.tcs.trifork.com/v1alpha1 |
||
kind string |
BootstrapConfigList |
||
kind string |
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
||
apiVersion string |
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
||
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
items BootstrapConfig array |
BootstrapConfigOpenTelemetry¶
Appears in: - BootstrapConfigSpec
| Field | Description | Default | Validation |
|---|---|---|---|
certificate BootstrapConfigOpenTelemetryCertificate |
Cert-manager certificate generation | ||
config string |
OpenTelemetry Collector configuration This should be changed away from string in a future version of the API |
||
resources ResourceRequirements |
Resources for OpenTelemetry sidecar |
BootstrapConfigOpenTelemetryCertificate¶
Appears in: - BootstrapConfigOpenTelemetry
| Field | Description | Default | Validation |
|---|---|---|---|
commonName string |
|||
issuerRef ObjectReference |
|||
privateKey CertificatePrivateKey |
BootstrapConfigSize¶
Appears in: - BootstrapConfigSpec
| Field | Description | Default | Validation |
|---|---|---|---|
limitRange LimitRangeSpec |
|||
resourceQuota ResourceQuotaSpec |
BootstrapConfigSpec¶
BootstrapConfigSpec defines the desired state of BootstrapConfig
Appears in: - BootstrapConfig - NamespaceConfigSpec
| Field | Description | Default | Validation |
|---|---|---|---|
sizes object (keys:string, values:BootstrapConfigSize) |
Sizes definitions available for this configuration | ||
rules PolicyRule array |
Rules defining permissions for reconciliations | ||
networkPolicies object (keys:string, values:NetworkPolicySpec) |
NetworkPolicies applied to the namespace. A default deny-all will always be put in place. | ||
labels object (keys:string, values:string) |
Labels to be attached to namespace | ||
annotations object (keys:string, values:string) |
Annotations to be attached to namespace | ||
git BootstrapConfigGit |
Git configuration for git repository setup for new namespace | ||
postBuild PostBuild |
PostBuild describes which actions to perform on the YAML manifest generated by building the kustomize overlay. |
||
vault BootstrapConfigVault |
Vault configuration of secrets handling from Vault storing ssh-keys for reconciliation and more. | ||
externalSecretsStore SecretStoreSpec |
ExternalSecrets defines secrets store to deploy in namespace | ||
openTelemetryCollector BootstrapConfigOpenTelemetry |
OpenTelemetry Collector | ||
roles object (keys:string, values:PolicyRule) |
AdditionalRoles defines extra roles to be create inside of the namespace. A role is only created if it is referenced by a rolebinding in the project bootstrap resource. |
||
allowUserRoleOverride boolean |
AllowUserRoleOverride set to true to allow override of user role mapping in project bootstrap | ||
userClusterRole object (keys:string, values:PolicyRule) |
UserClusterRole optionally defines a role thaat is bound to namespace users at cluster level, e.g., the ability to list namespaces. The roles will be bound to the defined user roles - default 'tenant-readonly' and 'tenant-user' exists. |
BootstrapConfigStatus¶
BootstrapConfigStatus defines the observed state of BootstrapConfig
Appears in: - BootstrapConfig
| Field | Description | Default | Validation |
|---|---|---|---|
conditions Condition array |
BootstrapConfigVault¶
Appears in: - BootstrapConfigSpec
| Field | Description | Default | Validation |
|---|---|---|---|
server string |
|||
auth BootstrapConfigVaultAuth |
|||
mount string |
|||
pathPrefix string |
|||
namespaceList string |
NamespaceList defines the key in Vault to be used to allow synchronization of namespaces with IAM | ||
namespaceBindings string |
NamespaceBindings defines the key in Vault to be used to allow synchronization of external role bindings with IAM | ||
data BootstrapConfigVaultData array |
BootstrapConfigVaultAuth¶
Appears in: - BootstrapConfigVault
| Field | Description | Default | Validation |
|---|---|---|---|
mount string |
The mount popint for the Vault Kubernetes auth backend | ||
role string |
The role to assume in the Vault Kubernetes auth backend | ||
serviceAccountRef string |
Service account used to authenticate against Vault read from same namespace as the bootstrap configuration |
BootstrapConfigVaultData¶
Appears in: - BootstrapConfigVault
| Field | Description | Default | Validation |
|---|---|---|---|
name string |
|||
path string |
NamespaceConfig¶
NamespaceConfig is the Schema for the namespaceconfigs API
Appears in: - NamespaceConfigList
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
project.tcs.trifork.com/v1alpha1 |
||
kind string |
NamespaceConfig |
||
kind string |
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
||
apiVersion string |
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec NamespaceConfigSpec |
|||
status NamespaceConfigStatus |
NamespaceConfigList¶
NamespaceConfigList contains a list of NamespaceConfig
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
project.tcs.trifork.com/v1alpha1 |
||
kind string |
NamespaceConfigList |
||
kind string |
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
||
apiVersion string |
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
||
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
items NamespaceConfig array |
NamespaceConfigSpec¶
NamespaceConfigSpec defines the desired state of NamespaceConfig
Appears in: - NamespaceConfig
| Field | Description | Default | Validation |
|---|---|---|---|
config ProjectBootstrapConfig |
Config defines the configuration to use for provisioning namespace | ||
namespace string |
Namespace defines the name of the namespace | ||
git ProjectBootstrapGit |
Git defines the properties for reconciling resources into the namespace | ||
metadata object (keys:string, values:string) |
Refer to Kubernetes API documentation for fields of metadata. |
||
databases object (keys:string, values:ProjectDatabase) |
Databases defines the databases that should be handled by KCI db operator | ||
gateways object (keys:string, values:ProjectGateway) |
Gateways support definition of Istio Gateways for the namespace | ||
overrides ProjectBootstrapOverrides |
Overrides defines values to be overriden from the chosen bootstrap config | ||
roleBindings ProjectRoleBinding array |
RoleBindings defines extra role bindings based on the roles defined in the referenced bootstrap config | ||
definition BootstrapConfigSpec |
NamespaceConfigStatus¶
NamespaceConfigStatus defines the observed state of NamespaceConfig
Appears in: - NamespaceConfig
| Field | Description | Default | Validation |
|---|---|---|---|
conditions Condition array |
|||
gitUrl string |
URL for git repository boostrapping namespace reconciliation | ||
gitCredentialPath string |
Path of git credentials in Vault | ||
configName string |
Name of the BootstrapConfig resource of namespace | ||
configNamespace string |
Namespace containing the BootstrapConfig resource of the namespace |
ProjectBootstrap¶
ProjectBootstrap is the Schema for the projectbootstraps API
Appears in: - ProjectBootstrapList
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
project.tcs.trifork.com/v1alpha1 |
||
kind string |
ProjectBootstrap |
||
kind string |
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
||
apiVersion string |
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec ProjectBootstrapSpec |
|||
status ProjectBootstrapStatus |
ProjectBootstrapConfig¶
Appears in: - NamespaceConfigSpec - ProjectBootstrapSpec
| Field | Description | Default | Validation |
|---|---|---|---|
ref string |
Ref reference to configuration resource which must reside in same namespace | ||
size string |
Size choice of size from configuration |
ProjectBootstrapGit¶
Appears in: - NamespaceConfigSpec - ProjectBootstrapSpec
| Field | Description | Default | Validation |
|---|---|---|---|
branch string |
Branch is git branch used for reconciliation | ||
path string |
Path is path within the gitops repository | ||
name string |
Repository name within the scope defined in the referenced bootstrap config. If not given the repository name will be based on namespace name with "-flux" suffix. |
ProjectBootstrapList¶
ProjectBootstrapList contains a list of ProjectBootstrap
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
project.tcs.trifork.com/v1alpha1 |
||
kind string |
ProjectBootstrapList |
||
kind string |
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
||
apiVersion string |
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
||
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
items ProjectBootstrap array |
ProjectBootstrapOverrides¶
ProjectBootstrapOverrides defines overrides to the bootstrap configuration
Appears in: - NamespaceConfigSpec - ProjectBootstrapSpec
| Field | Description | Default | Validation |
|---|---|---|---|
networkPolicies object (keys:string, values:NetworkPolicySpec) |
NetworkPolicies to add or override the ones from the bootstrap configuration. | ||
labels object (keys:string, values:string) |
Labels to add or override the ones from the bootstrap configuration. | ||
annotations object (keys:string, values:string) |
Annotations to add or override the ones from the bootstrap configuration. | ||
userRoles object (keys:string, values:ProjectBootstrapUserRole) |
UserRoles replaces the default user mappings - requires that the namespace config allows user role overrides. The default is 'tenant-readonly' mapping 'tenant_readonly.{{ .Namespace }}' to cluster 'view' and 'tenant-user' mapping 'tenant_user.{{ .Namespace }}' to cluster 'edit' |
ProjectBootstrapSpec¶
ProjectBootstrapSpec defines the desired state of ProjectBootstrap
Appears in: - NamespaceConfigSpec - ProjectBootstrap
| Field | Description | Default | Validation |
|---|---|---|---|
config ProjectBootstrapConfig |
Config defines the configuration to use for provisioning namespace | ||
namespace string |
Namespace defines the name of the namespace | ||
git ProjectBootstrapGit |
Git defines the properties for reconciling resources into the namespace | ||
metadata object (keys:string, values:string) |
Refer to Kubernetes API documentation for fields of metadata. |
||
databases object (keys:string, values:ProjectDatabase) |
Databases defines the databases that should be handled by KCI db operator | ||
gateways object (keys:string, values:ProjectGateway) |
Gateways support definition of Istio Gateways for the namespace | ||
overrides ProjectBootstrapOverrides |
Overrides defines values to be overriden from the chosen bootstrap config | ||
roleBindings ProjectRoleBinding array |
RoleBindings defines extra role bindings based on the roles defined in the referenced bootstrap config |
ProjectBootstrapStatus¶
ProjectBootstrapStatus defines the observed state of ProjectBootstrap
Appears in: - ProjectBootstrap
| Field | Description | Default | Validation |
|---|---|---|---|
created boolean |
|||
conditions Condition array |
ProjectBootstrapUserRole¶
ProjectBootstrapUserRole mapping cluster role to group name
Appears in: - ProjectBootstrapOverrides
| Field | Description | Default | Validation |
|---|---|---|---|
clusterRole string |
Name of the cluster role which should be associated with the (external) group | ||
group string |
GroupName the group name mapping |
ProjectDatabase¶
ProjectDatabase defines properties to provision new database instance
Appears in: - NamespaceConfigSpec - ProjectBootstrapSpec
| Field | Description | Default | Validation |
|---|---|---|---|
instance string |
Name of the DbInstance to create databases on | ||
deletionProtected boolean |
If database is protected to not get deleted | ||
connectionStringTemplate string |
Template for connection strings generated in DB secrets |
ProjectGateway¶
ProjectGateway exposes various Istio Gateway configurations
Appears in: - NamespaceConfigSpec - ProjectBootstrapSpec
| Field | Description | Default | Validation |
|---|---|---|---|
servers ProjectGatewayServer array |
|||
selector object (keys:string, values:string) |
ProjectGatewayPort¶
Appears in: - ProjectGatewayServer
| Field | Description | Default | Validation |
|---|---|---|---|
number integer |
A valid non-negative integer port number. | ||
protocol string |
The protocol exposed on the port. MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection. |
||
name string |
Label assigned to the port. | ||
target_port integer |
The port number on the endpoint where the traffic will be received. Applicable only when used with ServiceEntries. |
ProjectGatewayServer¶
ProjectGatewayServer server part of Gateway configuration
Appears in: - ProjectGateway
| Field | Description | Default | Validation |
|---|---|---|---|
port ProjectGatewayPort |
The Port on which the proxy should listen for incoming connections. |
||
bind string |
The ip or the Unix domain socket to which the listener should be bound to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar(Linux abstract namespace). When using Unix domain sockets, the port number should be 0. This can be used to restrict the reachability of this server to be gateway internal only. This is typically used when a gateway needs to communicate to another mesh service e.g. publishing metrics. In such case, the server created with the specified bind will not be available to external gateway clients. |
||
hosts string array |
One or more hosts exposed by this gateway. While typically applicable to HTTP services, it can also be used for TCP services using TLS with SNI. A host is specified as a dnsName with an optional namespace/ prefix.The dnsName should be specified using FQDN format, optionally includinga wildcard character in the left-most component (e.g., prod/*.example.com).Set the dnsName to * to select all VirtualService hosts from thespecified namespace (e.g., prod/*).The namespace can be set to * or ., representing any or the currentnamespace, respectively. For example, */foo.example.com selects theservice from any available namespace while ./foo.example.com only selectsthe service from the namespace of the sidecar. The default, if no namespace/is specified, is */, that is, select services from any namespace.Any associated DestinationRule in the selected namespace will also be used.A VirtualService must be bound to the gateway and must have one ormore hosts that match the hosts specified in a server. The match could be an exact match or a suffix match with the server's hosts. For example, if the server's hosts specifies *.example.com, aVirtualService with hosts dev.example.com or prod.example.com willmatch. However, a VirtualService with host example.com ornewexample.com will not match.NOTE: Only virtual services exported to the gateway's namespace (e.g., exportTo value of *) can be referenced.Private configurations (e.g., exportTo set to .) will not beavailable. Refer to the exportTo setting in VirtualService,DestinationRule, and ServiceEntry configurations for details. |
||
tls ProjectGatewayTLSSettings |
Set of TLS related options that govern the server's behavior. Use these options to control if all http requests should be redirected to https, and the TLS modes to use. |
||
name string |
An optional name of the server, when set must be unique across all servers. This will be used for variety of purposes like prefixing stats generated with this name etc. |
ProjectGatewayTLSSettings¶
Appears in: - ProjectGatewayServer
| Field | Description | Default | Validation |
|---|---|---|---|
httpsRedirect boolean |
If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. |
||
mode string |
Optional: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced. |
||
serverCertificate string |
REQUIRED if mode is SIMPLE or MUTUAL. The path to the fileholding the server-side TLS certificate to use. |
||
privateKey string |
REQUIRED if mode is SIMPLE or MUTUAL. The path to the fileholding the server's private key. |
||
caCertificates string |
REQUIRED if mode is MUTUAL. The path to a file containingcertificate authority certificates to use in verifying a presented client side certificate. |
||
credentialName string |
For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. Applicable only on Kubernetes. The secret (of type generic) shouldcontain the following keys and values: key:<br /><privateKey> and cert: <serverCert>. For mutual TLS,cacert: <CACertificate> can be provided in the same secret ora separate secret named <secret>-cacert.Secret of type tls for server certificates along with ca.crt key for CA certificates is also supported. Only one of server certificates and CA certificate or credentialName can be specified. |
||
subjectAltNames string array |
A list of alternate names to verify the subject identity in the certificate presented by the client. |
||
verifyCertificateSpki string array |
An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted. |
||
verifyCertificateHash string array |
An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated formats are acceptable. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted. |
||
minProtocolVersion string |
Optional: Minimum TLS protocol version. | ||
maxProtocolVersion string |
Optional: Maximum TLS protocol version. | ||
cipherSuites string array |
Optional: If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy. |
ProjectRoleBinding¶
ProjectRoleBinding defines the binding of a role to a service account in the namesmapce
Appears in: - NamespaceConfigSpec - ProjectBootstrapSpec
| Field | Description | Default | Validation |
|---|---|---|---|
role string |
Role references the role name in boostrap config | ||
serviceAccount string |
ServiceAccount is the service account name to bind the role |