Packages CR (v1alpha1)
Packages
Field | Type | Description |
---|---|---|
spec | Spec |
Spec
Field | Type | Description |
---|---|---|
monitor | Monitor[] | Create Service or Pod Monitor configurations |
network | Network | Network configuration for the package |
sso | Sso[] | Create SSO client configurations |
Monitor
Field | Type | Description |
---|---|---|
authorization | Authorization | Authorization settings. |
description | string | A description of this monitor entry, this will become part of the ServiceMonitor name |
fallbackScrapeProtocol | string (enum):
| The protocol for Prometheus to use if a scrape returns a blank, unparsable, or otherwise invalid Content-Type |
kind | string (enum):
| The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the default. |
path | string | HTTP path from which to scrape for metrics, defaults to `/metrics` |
podSelector | Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace | |
portName | string | The port name for the serviceMonitor |
selector | Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace | |
targetPort | number | The service targetPort. This is required so the NetworkPolicy can be generated correctly. |
Authorization
Field | Type | Description |
---|---|---|
credentials | Credentials | Selects a key of a Secret in the namespace that contains the credentials for authentication. |
type | string | Defines the authentication type. The value is case-insensitive. "Basic" is not a supported value. Default: "Bearer" |
Credentials
Field | Type | Description |
---|---|---|
key | string | The key of the secret to select from. Must be a valid secret key. |
name | string | Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
optional | boolean | Specify whether the Secret or its key must be defined |
Network
Field | Type | Description |
---|---|---|
allow | Allow[] | Allow specific traffic (namespace will have a default-deny policy) |
expose | Expose[] | Expose a service on an Istio Gateway |
Allow
Field | Type | Description |
---|---|---|
description | string | A description of the policy, this will become part of the policy name |
direction | string (enum):
| The direction of the traffic |
labels | The labels to apply to the policy | |
podLabels | Deprecated: use selector | |
port | number | The port to allow (protocol is always TCP) |
ports | number[] | A list of ports to allow (protocol is always TCP) |
remoteCidr | string | Custom generated policy CIDR |
remoteGenerated | string (enum):
| Custom generated remote selector for the policy |
remoteNamespace | string | The remote namespace to allow traffic to/from. Use * or empty string to allow all namespaces |
remotePodLabels | Deprecated: use remoteSelector | |
remoteSelector | The remote pod selector labels to allow traffic to/from | |
selector | Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace |
Expose
Field | Type | Description |
---|---|---|
advancedHTTP | AdvancedHTTP | Advanced HTTP settings for the route. |
description | string | A description of this expose entry, this will become part of the VirtualService name |
gateway | string (enum):
| The name of the gateway to expose the service on (default: tenant) |
host | string | The hostname to expose the service on |
match | Match[] | Match the incoming request based on custom rules. Not permitted when using the passthrough gateway. |
podLabels | Deprecated: use selector | |
port | number | The port number to expose |
selector | Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace | |
service | string | The name of the service to expose |
targetPort | number | The service targetPort. This defaults to port and is only required if the service port is different from the target port (so the NetworkPolicy can be generated correctly). |
AdvancedHTTP
Field | Type | Description |
---|---|---|
corsPolicy | CorsPolicy | Cross-Origin Resource Sharing policy (CORS). |
directResponse | DirectResponse | A HTTP rule can either return a direct_response, redirect or forward (default) traffic. |
headers | Headers | |
match | Match[] | Match the incoming request based on custom rules. Not permitted when using the passthrough gateway. |
redirect | Redirect | A HTTP rule can either return a direct_response, redirect or forward (default) traffic. |
retries | Retries | Retry policy for HTTP requests. |
rewrite | Rewrite | Rewrite HTTP URIs and Authority headers. |
timeout | string | Timeout for HTTP requests, default is disabled. |
weight | integer | Weight specifies the relative proportion of traffic to be forwarded to the destination. |
CorsPolicy
Field | Type | Description |
---|---|---|
allowCredentials | boolean | Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. |
allowHeaders | string[] | List of HTTP headers that can be used when requesting the resource. |
allowMethods | string[] | List of HTTP methods allowed to access the resource. |
allowOrigin | string[] | |
allowOrigins | AllowOrigins[] | String patterns that match allowed origins. |
exposeHeaders | string[] | A list of HTTP headers that the browsers are allowed to access. |
maxAge | string | Specifies how long the results of a preflight request can be cached. |
AllowOrigins
Field | Type | Description |
---|---|---|
exact | string | |
prefix | string | |
regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
DirectResponse
Field | Type | Description |
---|---|---|
body | Body | Specifies the content of the response body. |
Body
Field | Type | Description |
---|---|---|
bytes | string | response body as base64 encoded bytes. |
string | string |
Request
Field | Type | Description |
---|---|---|
add | ||
remove | string[] | |
set |
Response
Field | Type | Description |
---|---|---|
add | ||
remove | string[] | |
set |
Match
Field | Type | Description |
---|---|---|
ignoreUriCase | boolean | Flag to specify whether the URI matching should be case-insensitive. |
method | Method | |
name | string | The name assigned to a match. |
queryParams | Query parameters for matching. | |
uri | Uri |
Method
Field | Type | Description |
---|---|---|
exact | string | |
prefix | string | |
regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
Uri
Field | Type | Description |
---|---|---|
exact | string | |
prefix | string | |
regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
Redirect
Field | Type | Description |
---|---|---|
authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. |
derivePort | string (enum):
| On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT |
port | integer | On a redirect, overwrite the port portion of the URL with this value. |
redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. |
scheme | string | On a redirect, overwrite the scheme portion of the URL with this value. |
uri | string | On a redirect, overwrite the Path portion of the URL with this value. |
Retries
Field | Type | Description |
---|---|---|
attempts | integer | Number of retries to be allowed for a given request. |
perTryTimeout | string | Timeout per attempt for a given request, including the initial call and any retries. |
retryOn | string | Specifies the conditions under which retry takes place. |
retryRemoteLocalities | boolean | Flag to specify whether the retries should retry to other localities. |
Rewrite
Field | Type | Description |
---|---|---|
authority | string | rewrite the Authority/Host header with this value. |
uri | string | rewrite the path (or the prefix) portion of the URI with this value. |
uriRegexRewrite | UriRegexRewrite | rewrite the path portion of the URI with the specified regex. |
UriRegexRewrite
Field | Type | Description |
---|---|---|
match | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
rewrite | string | The string that should replace into matching portions of original URI. |
Match
Field | Type | Description |
---|---|---|
ignoreUriCase | boolean | Flag to specify whether the URI matching should be case-insensitive. |
method | Method | |
name | string | The name assigned to a match. |
queryParams | Query parameters for matching. | |
uri | Uri |
Method
Field | Type | Description |
---|---|---|
exact | string | |
prefix | string | |
regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
Uri
Field | Type | Description |
---|---|---|
exact | string | |
prefix | string | |
regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
Sso
Field | Type | Description |
---|---|---|
alwaysDisplayInConsole | boolean | Always list this client in the Account UI, even if the user does not have an active session. |
attributes | Specifies attributes for the client. | |
clientAuthenticatorType | string (enum):
| The client authenticator type |
clientId | string | The client identifier registered with the identity provider. |
defaultClientScopes | string[] | Default client scopes |
description | string | A description for the client, can be a URL to an image to replace the login logo |
enableAuthserviceSelector | Labels to match pods to automatically protect with authservice. Leave empty to disable authservice protection | |
enabled | boolean | Whether the SSO client is enabled |
groups | Groups | The client SSO group type |
name | string | Specifies display name of the client |
protocol | string (enum):
| Specifies the protocol of the client, either 'openid-connect' or 'saml' |
protocolMappers | ProtocolMappers[] | Protocol Mappers to configure on the client |
publicClient | boolean | Defines whether the client requires a client secret for authentication |
redirectUris | string[] | Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'https://unicorns.uds.dev/*' |
rootUrl | string | Root URL appended to relative URLs |
secret | string | The client secret. Typically left blank and auto-generated. |
secretName | string | The name of the secret to store the client secret |
secretTemplate | A template for the generated secret | |
serviceAccountsEnabled | boolean | Enables the client credentials grant based authentication via OpenID Connect protocol. |
standardFlowEnabled | boolean | Enables the standard OpenID Connect redirect based authentication with authorization code. |
webOrigins | string[] | Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'. |
Groups
Field | Type | Description |
---|---|---|
anyOf | string[] | List of groups allowed to access the client |
ProtocolMappers
Field | Type | Description |
---|---|---|
config | Configuration options for the mapper. | |
consentRequired | boolean | Whether user consent is required for this mapper |
name | string | Name of the mapper |
protocol | string (enum):
| Protocol of the mapper |
protocolMapper | string | Protocol Mapper type of the mapper |