Packages CR (v1alpha1)
Packages
Section titled “Packages”| Field | Type | Description |
|---|---|---|
| spec | Spec |
| Field | Type | Description |
|---|---|---|
| network | Network | Network configuration for the package |
| monitor | Monitor[] | Create Service or Pod Monitor configurations |
| sso | Sso[] | Create SSO client configurations |
| caBundle | CaBundle | CA bundle configuration for the package |
Network
Section titled “Network”| Field | Type | Description |
|---|---|---|
| expose | Expose[] | Expose a service on an Istio Gateway |
| allow | Allow[] | Allow specific traffic (namespace will have a default-deny policy) |
| serviceMesh | ServiceMesh | Service Mesh configuration for the package |
Expose
Section titled “Expose”| Field | Type | Description |
|---|---|---|
| description | string | A description of this expose entry, this will become part of the VirtualService name |
| host | string | The hostname to expose the service on |
| gateway | string | The name of the gateway to expose the service on (default: tenant) |
| domain | string | The domain to expose the service on, only valid for additional gateways (not tenant, admin, or passthrough) |
| service | string | The name of the service to expose |
| port | number | The port number to expose |
| selector | Selector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). | |
| targetPort | number | The service targetPort. This defaults to port and is only required if the service port is different from the target port (so the NetworkPolicy can be generated correctly). |
| advancedHTTP | AdvancedHTTP | Advanced HTTP settings for the route. |
| match | Match[] | Match the incoming request based on custom rules. Not permitted when using the passthrough gateway. |
| podLabels | Deprecated: use selector |
AdvancedHTTP
Section titled “AdvancedHTTP”| Field | Type | Description |
|---|---|---|
| corsPolicy | CorsPolicy | Cross-Origin Resource Sharing policy (CORS). |
| directResponse | DirectResponse | A HTTP rule can either return a direct_response, redirect or forward (default) traffic. |
| headers | Headers | |
| match | Match[] | Match the incoming request based on custom rules. Not permitted when using the passthrough gateway. |
| rewrite | Rewrite | Rewrite HTTP URIs and Authority headers. |
| redirect | Redirect | A HTTP rule can either return a direct_response, redirect or forward (default) traffic. |
| retries | Retries | Retry policy for HTTP requests. |
| weight | integer | Weight specifies the relative proportion of traffic to be forwarded to the destination. |
| timeout | string | Timeout for HTTP requests, default is disabled. |
CorsPolicy
Section titled “CorsPolicy”| Field | Type | Description |
|---|---|---|
| allowCredentials | boolean | Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. |
| allowHeaders | string[] | List of HTTP headers that can be used when requesting the resource. |
| allowMethods | string[] | List of HTTP methods allowed to access the resource. |
| allowOrigin | string[] | |
| allowOrigins | AllowOrigins[] | String patterns that match allowed origins. |
| exposeHeaders | string[] | A list of HTTP headers that the browsers are allowed to access. |
| maxAge | string | Specifies how long the results of a preflight request can be cached. |
AllowOrigins
Section titled “AllowOrigins”| Field | Type | Description |
|---|---|---|
| exact | string | |
| prefix | string | |
| regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
DirectResponse
Section titled “DirectResponse”| Field | Type | Description |
|---|---|---|
| body | Body | Specifies the content of the response body. |
| Field | Type | Description |
|---|---|---|
| bytes | string | response body as base64 encoded bytes. |
| string | string |
Headers
Section titled “Headers”| Field | Type | Description |
|---|---|---|
| request | Request | |
| response | Response |
Request
Section titled “Request”| Field | Type | Description |
|---|---|---|
| add | ||
| remove | string[] | |
| set |
Response
Section titled “Response”| Field | Type | Description |
|---|---|---|
| add | ||
| remove | string[] | |
| set |
| Field | Type | Description |
|---|---|---|
| ignoreUriCase | boolean | Flag to specify whether the URI matching should be case-insensitive. |
| method | Method | |
| name | string | The name assigned to a match. |
| queryParams | Query parameters for matching. | |
| uri | Uri |
Method
Section titled “Method”| Field | Type | Description |
|---|---|---|
| exact | string | |
| prefix | string | |
| regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
| Field | Type | Description |
|---|---|---|
| exact | string | |
| prefix | string | |
| regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
Rewrite
Section titled “Rewrite”| Field | Type | Description |
|---|---|---|
| authority | string | rewrite the Authority/Host header with this value. |
| uri | string | rewrite the path (or the prefix) portion of the URI with this value. |
| uriRegexRewrite | UriRegexRewrite | rewrite the path portion of the URI with the specified regex. |
UriRegexRewrite
Section titled “UriRegexRewrite”| Field | Type | Description |
|---|---|---|
| match | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
| rewrite | string | The string that should replace into matching portions of original URI. |
Redirect
Section titled “Redirect”| Field | Type | Description |
|---|---|---|
| authority | string | On a redirect, overwrite the Authority/Host portion of the URL with this value. |
| port | integer | On a redirect, overwrite the port portion of the URL with this value. |
| derivePort | string (enum):
| On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT |
| redirectCode | integer | On a redirect, Specifies the HTTP status code to use in the redirect response. |
| scheme | string | On a redirect, overwrite the scheme portion of the URL with this value. |
| uri | string | On a redirect, overwrite the Path portion of the URL with this value. |
Retries
Section titled “Retries”| Field | Type | Description |
|---|---|---|
| attempts | integer | Number of retries to be allowed for a given request. |
| perTryTimeout | string | Timeout per attempt for a given request, including the initial call and any retries. |
| retryOn | string | Specifies the conditions under which retry takes place. |
| retryRemoteLocalities | boolean | Flag to specify whether the retries should retry to other localities. |
| Field | Type | Description |
|---|---|---|
| ignoreUriCase | boolean | Flag to specify whether the URI matching should be case-insensitive. |
| method | Method | |
| name | string | The name assigned to a match. |
| queryParams | Query parameters for matching. | |
| uri | Uri |
Method
Section titled “Method”| Field | Type | Description |
|---|---|---|
| exact | string | |
| prefix | string | |
| regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
| Field | Type | Description |
|---|---|---|
| exact | string | |
| prefix | string | |
| regex | string | RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). |
| Field | Type | Description |
|---|---|---|
| labels | The labels to apply to the policy | |
| description | string | A description of the policy, this will become part of the policy name |
| direction | string (enum):
| The direction of the traffic |
| selector | Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace | |
| remoteNamespace | string | The remote namespace to allow traffic to/from. Use * or empty string to allow all namespaces |
| remoteSelector | The remote pod selector labels to allow traffic to/from | |
| remoteGenerated | string (enum):
| Custom generated remote selector for the policy |
| remoteCidr | string | Custom generated policy CIDR |
| remoteHost | string | Remote host to allow traffic out to |
| remoteProtocol | string (enum):
| Protocol used for external connection |
| port | number | The port to allow (protocol is always TCP) |
| ports | number[] | A list of ports to allow (protocol is always TCP) |
| remoteServiceAccount | string | The remote service account to restrict incoming traffic from within the remote namespace. Only valid for Ingress rules. |
| serviceAccount | string | The service account to restrict outgoing traffic from within the package namespace. Only valid for Egress rules. |
| podLabels | Deprecated: use selector | |
| remotePodLabels | Deprecated: use remoteSelector |
ServiceMesh
Section titled “ServiceMesh”| Field | Type | Description |
|---|---|---|
| mode | string (enum):
| Set the service mesh mode for this package (namespace), defaults to ambient |
Monitor
Section titled “Monitor”| Field | Type | Description |
|---|---|---|
| description | string | A description of this monitor entry, this will become part of the ServiceMonitor name |
| portName | string | The port name for the serviceMonitor |
| targetPort | number | The service targetPort. This is required so the NetworkPolicy can be generated correctly. |
| selector | Selector for Services that expose metrics to scrape | |
| podSelector | Selector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified. | |
| path | string | HTTP path from which to scrape for metrics, defaults to `/metrics` |
| kind | string (enum):
| The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the default. |
| fallbackScrapeProtocol | string (enum):
| The protocol for Prometheus to use if a scrape returns a blank, unparsable, or otherwise invalid Content-Type |
| authorization | Authorization | Authorization settings. |
Authorization
Section titled “Authorization”| Field | Type | Description |
|---|---|---|
| credentials | Credentials | Selects a key of a Secret in the namespace that contains the credentials for authentication. |
| type | string | Defines the authentication type. The value is case-insensitive. "Basic" is not a supported value. Default: "Bearer" |
Credentials
Section titled “Credentials”| Field | Type | Description |
|---|---|---|
| key | string | The key of the secret to select from. Must be a valid secret key. |
| name | string | Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| optional | boolean | Specify whether the Secret or its key must be defined |
| Field | Type | Description |
|---|---|---|
| enableAuthserviceSelector | Labels to match pods to automatically protect with authservice. Leave empty to disable authservice protection | |
| secretConfig | SecretConfig | Configuration for the generated Kubernetes Secret |
| clientId | string | The client identifier registered with the identity provider. |
| secret | string | The OAuth/OIDC client secret value sent to Keycloak. Typically left blank and auto-generated by Keycloak. Not to be confused with secretConfig, which configures the Kubernetes Secret resource. |
| secretName | string | Deprecated: use secretConfig.name |
| secretLabels | Deprecated: use secretConfig.labels | |
| secretAnnotations | Deprecated: use secretConfig.annotations | |
| secretTemplate | Deprecated: use secretConfig.template | |
| name | string | Specifies display name of the client |
| description | string | A description for the client, can be a URL to an image to replace the login logo |
| baseUrl | string | Default URL to use when the auth server needs to redirect or link back to the client. |
| adminUrl | string | This URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. |
| protocol | string (enum):
| Specifies the protocol of the client, either 'openid-connect' or 'saml' |
| attributes | Specifies attributes for the client. | |
| protocolMappers | ProtocolMappers[] | Protocol Mappers to configure on the client |
| rootUrl | string | Root URL appended to relative URLs |
| redirectUris | string[] | Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'https://unicorns.uds.dev/*' |
| webOrigins | string[] | Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'. |
| enabled | boolean | Whether the SSO client is enabled |
| alwaysDisplayInConsole | boolean | Always list this client in the Account UI, even if the user does not have an active session. |
| standardFlowEnabled | boolean | Enables the standard OpenID Connect redirect based authentication with authorization code. |
| serviceAccountsEnabled | boolean | Enables the client credentials grant based authentication via OpenID Connect protocol. |
| publicClient | boolean | Defines whether the client requires a client secret for authentication |
| clientAuthenticatorType | string (enum):
| The client authenticator type |
| defaultClientScopes | string[] | Default client scopes |
| groups | Groups | The client SSO group type |
SecretConfig
Section titled “SecretConfig”| Field | Type | Description |
|---|---|---|
| name | string | The name of the secret to store the client secret |
| labels | Additional labels to apply to the generated secret, can be used for pod reloading | |
| annotations | Additional annotations to apply to the generated secret, can be used for pod reloading with a selector | |
| template | A template for the generated secret |
ProtocolMappers
Section titled “ProtocolMappers”| Field | Type | Description |
|---|---|---|
| name | string | Name of the mapper |
| protocol | string (enum):
| Protocol of the mapper |
| protocolMapper | string | Protocol Mapper type of the mapper |
| consentRequired | boolean | Whether user consent is required for this mapper |
| config | Configuration options for the mapper. |
Groups
Section titled “Groups”| Field | Type | Description |
|---|---|---|
| anyOf | string[] | List of groups allowed to access the client |
CaBundle
Section titled “CaBundle”| Field | Type | Description |
|---|---|---|
| configMap | ConfigMap | ConfigMap configuration for CA bundle |
ConfigMap
Section titled “ConfigMap”| Field | Type | Description |
|---|---|---|
| name | string | The name of the ConfigMap to create (default: uds-trust-bundle) |
| key | string | The key name inside the ConfigMap (default: ca-bundle.pem) |
| labels | Additional labels to apply to the generated ConfigMap (default: {}) | |
| annotations | Additional annotations to apply to the generated ConfigMap (default: {}) |