{ "$schema": "http://json-schema.org/draft-06/schema#", "$ref": "#/definitions/Package", "definitions": { "Package": { "type": "object", "additionalProperties": {}, "properties": { "spec": { "$ref": "#/definitions/Spec" }, "status": { "$ref": "#/definitions/StatusObject" } }, "required": [], "title": "Package" }, "Spec": { "type": "object", "additionalProperties": false, "properties": { "caBundle": { "$ref": "#/definitions/CABundle", "description": "CA bundle configuration for the package" }, "monitor": { "type": "array", "items": { "$ref": "#/definitions/Monitor" }, "description": "Create Service or Pod Monitor configurations" }, "network": { "$ref": "#/definitions/Network", "description": "Network configuration for the package" }, "sso": { "type": "array", "items": { "$ref": "#/definitions/Sso" }, "description": "Create SSO client configurations" } }, "required": [], "title": "Spec" }, "CABundle": { "type": "object", "additionalProperties": false, "properties": { "configMap": { "$ref": "#/definitions/ConfigMap", "description": "ConfigMap configuration for CA bundle" } }, "required": [], "title": "CABundle", "description": "CA bundle configuration for the package" }, "ConfigMap": { "type": "object", "additionalProperties": false, "properties": { "annotations": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "key": { "type": "string", "description": "The key name inside the ConfigMap (default: ca-bundle.pem)" }, "labels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "name": { "type": "string", "description": "The name of the ConfigMap to create (default: uds-trust-bundle)" } }, "required": [], "title": "ConfigMap", "description": "ConfigMap configuration for CA bundle" }, "Monitor": { "type": "object", "additionalProperties": false, "properties": { "authorization": { "$ref": "#/definitions/Authorization", "description": "Authorization settings." }, "description": { "type": "string", "description": "A description of this monitor entry, this will become part of the ServiceMonitor name" }, "fallbackScrapeProtocol": { "$ref": "#/definitions/FallbackScrapeProtocol", "description": "The protocol for Prometheus to use if a scrape returns a blank, unparsable, or otherwise\ninvalid Content-Type" }, "kind": { "$ref": "#/definitions/Kind", "description": "The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the\ndefault." }, "path": { "type": "string", "description": "HTTP path from which to scrape for metrics, defaults to `/metrics`" }, "podSelector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "portName": { "type": "string", "description": "The port name for the serviceMonitor" }, "selector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "targetPort": { "type": "number", "description": "The service targetPort. This is required so the NetworkPolicy can be generated correctly." } }, "required": [ "portName", "selector", "targetPort" ], "title": "Monitor" }, "Authorization": { "type": "object", "additionalProperties": false, "properties": { "credentials": { "$ref": "#/definitions/Credentials", "description": "Selects a key of a Secret in the namespace that contains the credentials for\nauthentication." }, "type": { "type": "string", "description": "Defines the authentication type. The value is case-insensitive. \"Basic\" is not a\nsupported value. Default: \"Bearer\"" } }, "required": [ "credentials" ], "title": "Authorization", "description": "Authorization settings." }, "Credentials": { "type": "object", "additionalProperties": false, "properties": { "key": { "type": "string", "description": "The key of the secret to select from. Must be a valid secret key." }, "name": { "type": "string", "description": "Name of the referent. More info:\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" }, "optional": { "type": "boolean", "description": "Specify whether the Secret or its key must be defined" } }, "required": [ "key" ], "title": "Credentials", "description": "Selects a key of a Secret in the namespace that contains the credentials for authentication." }, "Network": { "type": "object", "additionalProperties": false, "properties": { "allow": { "type": "array", "items": { "$ref": "#/definitions/Allow" }, "description": "Allow specific traffic (namespace will have a default-deny policy)" }, "expose": { "type": "array", "items": { "$ref": "#/definitions/Expose" }, "description": "Expose a service on an Istio Gateway" }, "serviceMesh": { "$ref": "#/definitions/ServiceMesh", "description": "Service Mesh configuration for the package" } }, "required": [], "title": "Network", "description": "Network configuration for the package" }, "Allow": { "type": "object", "additionalProperties": false, "properties": { "description": { "type": "string", "description": "A description of the policy, this will become part of the policy name" }, "direction": { "$ref": "#/definitions/Direction", "description": "The direction of the traffic" }, "labels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "podLabels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "port": { "type": "number", "description": "The port to allow (protocol is always TCP)" }, "ports": { "type": "array", "items": { "type": "number" }, "description": "A list of ports to allow (protocol is always TCP)" }, "remoteCidr": { "type": "string", "description": "Custom generated policy CIDR" }, "remoteGenerated": { "$ref": "#/definitions/RemoteGenerated", "description": "Custom generated remote selector for the policy" }, "remoteHost": { "type": "string", "description": "Remote host to allow traffic out to" }, "remoteNamespace": { "type": "string", "description": "The remote namespace to allow traffic to/from. Use * or empty string to allow all\nnamespaces" }, "remotePodLabels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "remoteProtocol": { "$ref": "#/definitions/RemoteProtocol", "description": "Protocol used for external connection" }, "remoteSelector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "remoteServiceAccount": { "type": "string", "description": "The remote service account to restrict incoming traffic from within the remote\nnamespace. Only valid for Ingress rules." }, "selector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "serviceAccount": { "type": "string", "description": "The service account to restrict outgoing traffic from within the package\nnamespace. Only valid for Egress rules." } }, "required": [ "direction" ], "title": "Allow" }, "Expose": { "type": "object", "additionalProperties": false, "properties": { "advancedHTTP": { "$ref": "#/definitions/AdvancedHTTP", "description": "Advanced HTTP settings for the route." }, "description": { "type": "string", "description": "A description of this expose entry, this will become part of the VirtualService name" }, "domain": { "type": "string", "description": "The domain to expose the service on, only valid for additional gateways (not tenant,\nadmin, or passthrough)" }, "gateway": { "type": "string", "description": "The name of the gateway to expose the service on (default: tenant)" }, "host": { "type": "string", "description": "The hostname to expose the service on" }, "match": { "type": "array", "items": { "$ref": "#/definitions/ExposeMatch" }, "description": "Match conditions to be satisfied for the rule to be activated. Not permitted when using\nthe passthrough gateway." }, "podLabels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "port": { "type": "number", "description": "The port number to expose" }, "selector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "service": { "type": "string", "description": "The name of the service to expose" }, "targetPort": { "type": "number", "description": "The service targetPort. This defaults to port and is only required if the service port is\ndifferent from the target port (so the NetworkPolicy can be generated correctly)." }, "uptime": { "$ref": "#/definitions/Uptime", "description": "Uptime monitoring configuration for this exposed service. Presence of checks.paths\nenables monitoring." } }, "required": [ "host" ], "title": "Expose" }, "AdvancedHTTP": { "type": "object", "additionalProperties": false, "properties": { "corsPolicy": { "$ref": "#/definitions/CorsPolicy", "description": "Cross-Origin Resource Sharing policy (CORS)." }, "directResponse": { "$ref": "#/definitions/DirectResponse", "description": "A HTTP rule can either return a direct_response, redirect or forward (default) traffic." }, "headers": { "$ref": "#/definitions/Headers" }, "match": { "type": "array", "items": { "$ref": "#/definitions/AdvancedHTTPMatch" }, "description": "Match conditions to be satisfied for the rule to be activated. Not permitted when using\nthe passthrough gateway." }, "redirect": { "$ref": "#/definitions/Redirect", "description": "A HTTP rule can either return a direct_response, redirect or forward (default) traffic." }, "retries": { "$ref": "#/definitions/Retries", "description": "Retry policy for HTTP requests." }, "rewrite": { "$ref": "#/definitions/Rewrite", "description": "Rewrite HTTP URIs and Authority headers." }, "timeout": { "type": "string", "description": "Timeout for HTTP requests, default is disabled." } }, "required": [], "title": "AdvancedHTTP", "description": "Advanced HTTP settings for the route." }, "CorsPolicy": { "type": "object", "additionalProperties": false, "properties": { "allowCredentials": { "type": "boolean", "description": "Indicates whether the caller is allowed to send the actual request (not the preflight)\nusing credentials." }, "allowHeaders": { "type": "array", "items": { "type": "string" }, "description": "List of HTTP headers that can be used when requesting the resource." }, "allowMethods": { "type": "array", "items": { "type": "string" }, "description": "List of HTTP methods allowed to access the resource." }, "allowOrigin": { "type": "array", "items": { "type": "string" } }, "allowOrigins": { "type": "array", "items": { "$ref": "#/definitions/AllowOrigin" }, "description": "String patterns that match allowed origins." }, "exposeHeaders": { "type": "array", "items": { "type": "string" }, "description": "A list of HTTP headers that the browsers are allowed to access." }, "maxAge": { "type": "string", "description": "Specifies how long the results of a preflight request can be cached." }, "unmatchedPreflights": { "$ref": "#/definitions/UnmatchedPreflights", "description": "Indicates whether preflight requests not matching the configured allowed origin shouldn't\nbe forwarded to the upstream.\n\nValid Options: FORWARD, IGNORE" } }, "required": [], "title": "CorsPolicy", "description": "Cross-Origin Resource Sharing policy (CORS)." }, "AllowOrigin": { "type": "object", "additionalProperties": false, "properties": { "exact": { "type": "string" }, "prefix": { "type": "string" }, "regex": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "AllowOrigin" }, "DirectResponse": { "type": "object", "additionalProperties": false, "properties": { "body": { "$ref": "#/definitions/Body", "description": "Specifies the content of the response body." }, "status": { "type": "integer", "description": "Specifies the HTTP response status to be returned." } }, "required": [ "status" ], "title": "DirectResponse", "description": "A HTTP rule can either return a direct_response, redirect or forward (default) traffic." }, "Body": { "type": "object", "additionalProperties": false, "properties": { "bytes": { "type": "string", "description": "response body as base64 encoded bytes." }, "string": { "type": "string" } }, "required": [], "title": "Body", "description": "Specifies the content of the response body." }, "Headers": { "type": "object", "additionalProperties": false, "properties": { "request": { "$ref": "#/definitions/Request" }, "response": { "$ref": "#/definitions/Response" } }, "required": [], "title": "Headers" }, "Request": { "type": "object", "additionalProperties": false, "properties": { "add": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "remove": { "type": "array", "items": { "type": "string" } }, "set": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" } }, "required": [], "title": "Request" }, "Response": { "type": "object", "additionalProperties": false, "properties": { "add": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "remove": { "type": "array", "items": { "type": "string" } }, "set": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" } }, "required": [], "title": "Response" }, "AdvancedHTTPMatch": { "type": "object", "additionalProperties": false, "properties": { "ignoreUriCase": { "type": "boolean", "description": "Flag to specify whether the URI matching should be case-insensitive." }, "method": { "$ref": "#/definitions/PurpleMethod", "description": "HTTP Method values are case-sensitive and formatted as follows: - `exact: \"value\"` for\nexact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2\nstyle regex-based match](https://github.com/google/re2/wiki/Syntax)." }, "name": { "type": "string", "description": "The name assigned to a match." }, "queryParams": { "type": "object", "additionalProperties": { "$ref": "#/definitions/PurpleQueryParam" }, "description": "Query parameters for matching." }, "uri": { "$ref": "#/definitions/PurpleURI", "description": "URI to match values are case-sensitive and formatted as follows: - `exact: \"value\"` for\nexact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2\nstyle regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "AdvancedHTTPMatch" }, "PurpleMethod": { "type": "object", "additionalProperties": false, "properties": { "exact": { "type": "string" }, "prefix": { "type": "string" }, "regex": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "PurpleMethod", "description": "HTTP Method values are case-sensitive and formatted as follows: - `exact: \"value\"` for exact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." }, "PurpleQueryParam": { "type": "object", "additionalProperties": false, "properties": { "exact": { "type": "string" }, "prefix": { "type": "string" }, "regex": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "PurpleQueryParam" }, "PurpleURI": { "type": "object", "additionalProperties": false, "properties": { "exact": { "type": "string" }, "prefix": { "type": "string" }, "regex": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "PurpleURI", "description": "URI to match values are case-sensitive and formatted as follows: - `exact: \"value\"` for exact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." }, "Redirect": { "type": "object", "additionalProperties": false, "properties": { "authority": { "type": "string", "description": "On a redirect, overwrite the Authority/Host portion of the URL with this value." }, "derivePort": { "$ref": "#/definitions/DerivePort", "description": "On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80\nfor HTTP and 443 for HTTPS.\n\nValid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT" }, "port": { "type": "integer", "description": "On a redirect, overwrite the port portion of the URL with this value." }, "redirectCode": { "type": "integer", "description": "On a redirect, Specifies the HTTP status code to use in the redirect response." }, "scheme": { "type": "string", "description": "On a redirect, overwrite the scheme portion of the URL with this value." }, "uri": { "type": "string", "description": "On a redirect, overwrite the Path portion of the URL with this value." } }, "required": [], "title": "Redirect", "description": "A HTTP rule can either return a direct_response, redirect or forward (default) traffic." }, "Retries": { "type": "object", "additionalProperties": false, "properties": { "attempts": { "type": "integer", "description": "Number of retries to be allowed for a given request." }, "backoff": { "type": "string", "description": "Specifies the minimum duration between retry attempts." }, "perTryTimeout": { "type": "string", "description": "Timeout per attempt for a given request, including the initial call and any retries." }, "retryIgnorePreviousHosts": { "type": "boolean", "description": "Flag to specify whether the retries should ignore previously tried hosts during retry." }, "retryOn": { "type": "string", "description": "Specifies the conditions under which retry takes place." }, "retryRemoteLocalities": { "type": "boolean", "description": "Flag to specify whether the retries should retry to other localities." } }, "required": [], "title": "Retries", "description": "Retry policy for HTTP requests." }, "Rewrite": { "type": "object", "additionalProperties": false, "properties": { "authority": { "type": "string", "description": "rewrite the Authority/Host header with this value." }, "uri": { "type": "string", "description": "rewrite the path (or the prefix) portion of the URI with this value." }, "uriRegexRewrite": { "$ref": "#/definitions/URIRegexRewrite", "description": "rewrite the path portion of the URI with the specified regex." } }, "required": [], "title": "Rewrite", "description": "Rewrite HTTP URIs and Authority headers." }, "URIRegexRewrite": { "type": "object", "additionalProperties": false, "properties": { "match": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." }, "rewrite": { "type": "string", "description": "The string that should replace into matching portions of original URI." } }, "required": [], "title": "URIRegexRewrite", "description": "rewrite the path portion of the URI with the specified regex." }, "ExposeMatch": { "type": "object", "additionalProperties": false, "properties": { "ignoreUriCase": { "type": "boolean", "description": "Flag to specify whether the URI matching should be case-insensitive." }, "method": { "$ref": "#/definitions/FluffyMethod", "description": "HTTP Method values are case-sensitive and formatted as follows: - `exact: \"value\"` for\nexact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2\nstyle regex-based match](https://github.com/google/re2/wiki/Syntax)." }, "name": { "type": "string", "description": "The name assigned to a match." }, "queryParams": { "type": "object", "additionalProperties": { "$ref": "#/definitions/FluffyQueryParam" }, "description": "Query parameters for matching." }, "uri": { "$ref": "#/definitions/FluffyURI", "description": "URI to match values are case-sensitive and formatted as follows: - `exact: \"value\"` for\nexact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2\nstyle regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "ExposeMatch" }, "FluffyMethod": { "type": "object", "additionalProperties": false, "properties": { "exact": { "type": "string" }, "prefix": { "type": "string" }, "regex": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "FluffyMethod", "description": "HTTP Method values are case-sensitive and formatted as follows: - `exact: \"value\"` for exact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." }, "FluffyQueryParam": { "type": "object", "additionalProperties": false, "properties": { "exact": { "type": "string" }, "prefix": { "type": "string" }, "regex": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "FluffyQueryParam" }, "FluffyURI": { "type": "object", "additionalProperties": false, "properties": { "exact": { "type": "string" }, "prefix": { "type": "string" }, "regex": { "type": "string", "description": "[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." } }, "required": [], "title": "FluffyURI", "description": "URI to match values are case-sensitive and formatted as follows: - `exact: \"value\"` for exact string match - `prefix: \"value\"` for prefix-based match - `regex: \"value\"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax)." }, "Uptime": { "type": "object", "additionalProperties": false, "properties": { "checks": { "$ref": "#/definitions/Checks", "description": "HTTP probe checks configuration for blackbox-exporter. Defining paths enables uptime\nmonitoring." } }, "required": [], "title": "Uptime", "description": "Uptime monitoring configuration for this exposed service. Presence of checks.paths enables monitoring." }, "Checks": { "type": "object", "additionalProperties": false, "properties": { "paths": { "type": "array", "items": { "type": "string" }, "description": "List of paths to check for uptime monitoring, appended to the host." } }, "required": [ "paths" ], "title": "Checks", "description": "HTTP probe checks configuration for blackbox-exporter. Defining paths enables uptime monitoring." }, "ServiceMesh": { "type": "object", "additionalProperties": false, "properties": { "mode": { "$ref": "#/definitions/Mode", "description": "Set the service mesh mode for this package (namespace), defaults to ambient" } }, "required": [], "title": "ServiceMesh", "description": "Service Mesh configuration for the package" }, "Sso": { "type": "object", "additionalProperties": false, "properties": { "adminUrl": { "type": "string", "description": "This URL will be used for every binding to both the SP's Assertion Consumer and Single\nLogout Services." }, "alwaysDisplayInConsole": { "type": "boolean", "description": "Always list this client in the Account UI, even if the user does not have an active\nsession." }, "attributes": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "baseUrl": { "type": "string", "description": "Default URL to use when the auth server needs to redirect or link back to the client." }, "clientAuthenticatorType": { "$ref": "#/definitions/ClientAuthenticatorType", "description": "The client authenticator type" }, "clientId": { "type": "string", "description": "The client identifier registered with the identity provider." }, "defaultClientScopes": { "type": "array", "items": { "type": "string" }, "description": "Default client scopes" }, "description": { "type": "string", "description": "A description for the client, can be a URL to an image to replace the login logo" }, "enableAuthserviceSelector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "enabled": { "type": "boolean", "description": "Whether the SSO client is enabled" }, "groups": { "$ref": "#/definitions/Groups", "description": "The client SSO group type" }, "name": { "type": "string", "description": "Specifies display name of the client" }, "protocol": { "$ref": "#/definitions/Protocol", "description": "Specifies the protocol of the client, either 'openid-connect' or 'saml'" }, "protocolMappers": { "type": "array", "items": { "$ref": "#/definitions/ProtocolMapper" }, "description": "Protocol Mappers to configure on the client" }, "publicClient": { "type": "boolean", "description": "Defines whether the client requires a client secret for authentication" }, "redirectUris": { "type": "array", "items": { "type": "string" }, "description": "Valid URI pattern a browser can redirect to after a successful login. Simple wildcards\nare allowed such as 'https://unicorns.uds.dev/*'" }, "rootUrl": { "type": "string", "description": "Root URL appended to relative URLs" }, "secret": { "type": "string", "description": "The OAuth/OIDC client secret value sent to Keycloak. Typically left blank and\nauto-generated by Keycloak. Not to be confused with secretConfig, which configures the\nKubernetes Secret resource." }, "secretAnnotations": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "secretConfig": { "$ref": "#/definitions/SecretConfig", "description": "Configuration for the generated Kubernetes Secret" }, "secretLabels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "secretName": { "type": "string", "description": "Deprecated: use secretConfig.name" }, "secretTemplate": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "serviceAccountsEnabled": { "type": "boolean", "description": "Enables the client credentials grant based authentication via OpenID Connect protocol." }, "standardFlowEnabled": { "type": "boolean", "description": "Enables the standard OpenID Connect redirect based authentication with authorization code." }, "webOrigins": { "type": "array", "items": { "type": "string" }, "description": "Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does\nnot include the '*' wildcard though. To permit all origins, explicitly add '*'." } }, "required": [ "clientId", "name" ], "title": "Sso" }, "Groups": { "type": "object", "additionalProperties": false, "properties": { "anyOf": { "type": "array", "items": { "type": "string" }, "description": "List of groups allowed to access the client" } }, "required": [], "title": "Groups", "description": "The client SSO group type" }, "ProtocolMapper": { "type": "object", "additionalProperties": false, "properties": { "config": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "consentRequired": { "type": "boolean", "description": "Whether user consent is required for this mapper" }, "name": { "type": "string", "description": "Name of the mapper" }, "protocol": { "$ref": "#/definitions/Protocol", "description": "Protocol of the mapper" }, "protocolMapper": { "type": "string", "description": "Protocol Mapper type of the mapper" } }, "required": [ "name", "protocol", "protocolMapper" ], "title": "ProtocolMapper" }, "SecretConfig": { "type": "object", "additionalProperties": false, "properties": { "annotations": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "labels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" }, "name": { "type": "string", "description": "The name of the secret to store the client secret" }, "template": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" } }, "required": [], "title": "SecretConfig", "description": "Configuration for the generated Kubernetes Secret" }, "StatusObject": { "type": "object", "additionalProperties": false, "properties": { "authorizationPolicyCount": { "type": "integer" }, "authserviceClients": { "type": "array", "items": { "$ref": "#/definitions/AuthserviceClient" } }, "conditions": { "type": "array", "items": { "$ref": "#/definitions/Condition" }, "description": "Status conditions following Kubernetes-style conventions" }, "endpoints": { "type": "array", "items": { "type": "string" } }, "meshMode": { "$ref": "#/definitions/Mode", "description": "The current service mesh mode for this package" }, "monitors": { "type": "array", "items": { "type": "string" } }, "networkPolicyCount": { "type": "integer" }, "observedGeneration": { "type": "integer" }, "phase": { "$ref": "#/definitions/Phase" }, "probes": { "type": "array", "items": { "type": "string" } }, "retryAttempt": { "type": "integer" }, "ssoClients": { "type": "array", "items": { "type": "string" } } }, "required": [], "title": "StatusObject" }, "AuthserviceClient": { "type": "object", "additionalProperties": false, "properties": { "clientId": { "type": "string" }, "selector": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Additional annotations to apply to the generated ConfigMap (default: {})\nAdditional labels to apply to the generated ConfigMap (default: {})\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly). Defaults to `selector` when not specified.\nSelector for Services that expose metrics to scrape\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nSelector for Pods targeted by the selected Services (so the NetworkPolicy can be generated correctly).\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nDeprecated: use secretConfig.annotations\nAdditional annotations to apply to the generated secret, can be used for pod reloading with a selector\nAdditional labels to apply to the generated secret, can be used for pod reloading\nA template for the generated secret\nDeprecated: use secretConfig.labels\nDeprecated: use secretConfig.template" } }, "required": [ "clientId" ], "title": "AuthserviceClient" }, "Condition": { "type": "object", "additionalProperties": false, "properties": { "lastTransitionTime": { "type": "string", "format": "date-time", "description": "The last time the condition transitioned from one status to another" }, "message": { "type": "string", "description": "A human-readable message indicating details about the transition" }, "observedGeneration": { "type": "integer", "description": "Represents the .metadata.generation that the condition was set based upon" }, "reason": { "type": "string", "description": "A programmatic identifier indicating the reason for the condition's last transition" }, "status": { "$ref": "#/definitions/StatusEnum", "description": "Status of the condition, one of True, False, Unknown" }, "type": { "type": "string", "description": "Type of condition in CamelCase or in foo.example.com/CamelCase format" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "title": "Condition" }, "FallbackScrapeProtocol": { "type": "string", "enum": [ "OpenMetricsText0.0.1", "OpenMetricsText1.0.0", "PrometheusProto", "PrometheusText0.0.4", "PrometheusText1.0.0" ], "title": "FallbackScrapeProtocol", "description": "The protocol for Prometheus to use if a scrape returns a blank, unparsable, or otherwise invalid Content-Type" }, "Kind": { "type": "string", "enum": [ "PodMonitor", "ServiceMonitor" ], "title": "Kind", "description": "The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the default." }, "Direction": { "type": "string", "enum": [ "Ingress", "Egress" ], "title": "Direction", "description": "The direction of the traffic" }, "RemoteGenerated": { "type": "string", "enum": [ "KubeAPI", "KubeNodes", "IntraNamespace", "CloudMetadata", "Anywhere" ], "title": "RemoteGenerated", "description": "Custom generated remote selector for the policy" }, "RemoteProtocol": { "type": "string", "enum": [ "TLS", "HTTP" ], "title": "RemoteProtocol", "description": "Protocol used for external connection" }, "UnmatchedPreflights": { "type": "string", "enum": [ "UNSPECIFIED", "FORWARD", "IGNORE" ], "title": "UnmatchedPreflights", "description": "Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.\n\nValid Options: FORWARD, IGNORE" }, "DerivePort": { "type": "string", "enum": [ "FROM_PROTOCOL_DEFAULT", "FROM_REQUEST_PORT" ], "title": "DerivePort", "description": "On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.\n\nValid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT" }, "Mode": { "type": "string", "enum": [ "sidecar", "ambient" ], "title": "Mode", "description": "Set the service mesh mode for this package (namespace), defaults to ambient\nThe current service mesh mode for this package" }, "ClientAuthenticatorType": { "type": "string", "enum": [ "client-secret", "client-jwt" ], "title": "ClientAuthenticatorType", "description": "The client authenticator type" }, "Protocol": { "type": "string", "enum": [ "openid-connect", "saml" ], "title": "Protocol", "description": "Specifies the protocol of the client, either 'openid-connect' or 'saml'\nProtocol of the mapper" }, "StatusEnum": { "type": "string", "enum": [ "True", "False", "Unknown" ], "title": "StatusEnum", "description": "Status of the condition, one of True, False, Unknown" }, "Phase": { "type": "string", "enum": [ "Pending", "Ready", "Failed", "Retrying", "Removing", "RemovalFailed" ], "title": "Phase" } } }