{ "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", "additionalProperties": false, "properties": { "global": {}, "instance": { "type": "object", "additionalProperties": false, "properties": { "enabled": { "type": "boolean", "description": "Create a PocketIDInstance custom resource", "default": true }, "name": { "type": "string", "description": "Name of the PocketIDInstance resource", "default": "pocket-id" }, "labels": { "type": "object", "description": "Additional labels for the PocketIDInstance resource", "additionalProperties": { "type": "string" }, "default": {} }, "annotations": { "type": "object", "description": "Additional annotations for the PocketIDInstance resource", "additionalProperties": { "type": "string" }, "default": {} }, "spec": {}, "serviceMonitor": { "type": "object", "additionalProperties": false, "description": "ServiceMonitor for the PocketIDInstance (requires spec.metrics.enabled)", "properties": { "enabled": { "type": "boolean", "description": "Create a ServiceMonitor for the PocketIDInstance", "default": false }, "interval": { "type": "string", "description": "Scrape interval (e.g. 30s, 1m)" }, "labels": { "type": "object", "description": "Additional labels for the ServiceMonitor", "additionalProperties": { "type": "string" } } } } }, "if": { "not": { "properties": { "enabled": { "const": false } }, "required": [ "enabled" ] } }, "then": { "properties": { "spec": { "description": "spec defines the desired state of PocketIDInstance", "properties": { "analyticsDisabled": { "default": false, "description": "Disable anonymous 24-hour usage analytics heartbeat", "type": "boolean" }, "annotations": { "additionalProperties": { "type": "string" }, "description": "Additional annotations to add to the workload and pod", "type": "object" }, "appUrl": { "description": "External URL Pocket-id can be reached at\nSee the official documentation for APP_URL", "type": "string" }, "auditLogRetentionDays": { "description": "Audit log retention in days", "format": "int32", "type": "integer" }, "containerSecurityContext": { "description": "Container security context", "properties": { "allowPrivilegeEscalation": { "description": "AllowPrivilegeEscalation controls whether a process can gain more\nprivileges than its parent process. This bool directly controls if\nthe no_new_privs flag will be set on the container process.\nAllowPrivilegeEscalation is true always when the container is:\n1) run as Privileged\n2) has CAP_SYS_ADMIN\nNote that this field cannot be set when spec.os.name is windows.", "type": "boolean" }, "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by this container. If set, this profile\noverrides the pod's appArmorProfile.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "capabilities": { "description": "The capabilities to add/drop when running containers.\nDefaults to the default set of capabilities granted by the container runtime.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "add": { "description": "Added capabilities", "items": { "description": "Capability represent POSIX capabilities type", "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "drop": { "description": "Removed capabilities", "items": { "description": "Capability represent POSIX capabilities type", "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "privileged": { "description": "Run container in privileged mode.\nProcesses in privileged containers are essentially equivalent to root on the host.\nDefaults to false.\nNote that this field cannot be set when spec.os.name is windows.", "type": "boolean" }, "procMount": { "description": "procMount denotes the type of proc mount to use for the containers.\nThe default value is Default which uses the container runtime defaults for\nreadonly paths and masked paths.\nThis requires the ProcMountType feature flag to be enabled.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "readOnlyRootFilesystem": { "description": "Whether this container has a read-only root filesystem.\nDefault is false.\nNote that this field cannot be set when spec.os.name is windows.", "type": "boolean" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer" }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer" }, "seLinuxOptions": { "description": "The SELinux context to be applied to the container.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by this container. If seccomp options are\nprovided at both the pod & container level, the container options\noverride the pod options.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options from the PodSecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "databaseUrl": { "description": "URL to access database at\nSee the official documentation for DB_CONNECTION_STRING\nFor sqlite only add the filepath e.g. \"/app/data/pocket-id.db\"\nUses application default (/app/data/pocket-id.db) if empty", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "deploymentType": { "default": "Deployment", "description": "Kind of workload to create, Deployment or StatefulSet\nDefaults to Deployment (immutable after creation)", "enum": [ "Deployment", "StatefulSet" ], "type": "string" }, "emailNotifications": { "description": "Email notification settings\nOnly relevant when SMTP is configured", "properties": { "apiKeyExpiration": { "default": false, "description": "Notify users of expiring API keys", "type": "boolean" }, "loginNotification": { "default": false, "description": "Notify users of logins from new devices", "type": "boolean" }, "oneTimeAccessAsAdmin": { "default": false, "description": "Allow admins to send one-time login access codes", "type": "boolean" }, "oneTimeAccessAsUnauthenticated": { "default": false, "description": "Allow email-based login bypass for unauthenticated users (reduced security)", "type": "boolean" }, "verification": { "default": false, "description": "Send verification emails on signup or email change", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "encryptionKey": { "description": "Encryption Key\nRequired since Pocket-ID v2\nSee the official documentation for ENCRYPTION_KEY environment variable", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "env": { "description": "Additional environment variables to set\nUses k8s env var syntax (includes secretKeyRef, configMapKeyRef, etc.)", "items": { "description": "EnvVar represents an environment variable present in a Container.", "properties": { "name": { "description": "Name of the environment variable.\nMay consist of any printable ASCII characters except '='.", "type": "string" }, "value": { "description": "Variable references $(VAR_NAME) are expanded\nusing the previously defined environment variables in the container and\nany service environment variables. If a variable cannot be resolved,\nthe reference in the input string will be unchanged. Double $$ are reduced\nto a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.\n\"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\".\nEscaped references will never be expanded, regardless of whether the variable\nexists or not.\nDefaults to \"\".", "type": "string" }, "valueFrom": { "description": "Source for the environment variable's value. Cannot be used if value is not empty.", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "fileBackend": { "description": "File storage backend\nAutomatically set to \"s3\" when s3 config is present", "enum": [ "filesystem", "s3", "database" ], "type": "string" }, "geoip": { "description": "GeoIP/MaxMind integration for audit log geolocation", "properties": { "dbPath": { "description": "Custom path to the GeoLite2 database file", "type": "string" }, "dbUrl": { "description": "Custom URL to download the GeoLite2 database from\nMay contain credentials so supports secretKeyRef", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "maxmindLicenseKey": { "description": "MaxMind license key for downloading GeoLite2 database", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "hostUsers": { "default": true, "description": "HostUsers controls whether the container's user namespace is separate from the host\nDefaults to true", "type": "boolean" }, "image": { "default": "ghcr.io/pocket-id/pocket-id:v2.5.0-distroless@sha256:deadc3c4dd6655a7d7f959200db1c74e394942dc061e6f3732b709983a08aab7", "description": "Container image to run. Defaults to the latest distroless version at time of operator release", "type": "string" }, "internalAppUrl": { "description": "Internal base URL for OIDC .well-known endpoints (for split-horizon DNS)", "type": "string" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Additional labels to add to the workload and pod", "type": "object" }, "ldap": { "description": "LDAP authentication configuration\nWhen present, LDAP is automatically enabled", "properties": { "adminGroupName": { "description": "LDAP group name that grants admin privileges", "type": "string" }, "attributeMapping": { "description": "LDAP attribute mappings", "properties": { "groupMember": { "description": "LDAP attribute for group membership", "type": "string" }, "groupName": { "description": "LDAP attribute for group name", "type": "string" }, "groupUniqueIdentifier": { "description": "LDAP attribute for immutable group identifier", "type": "string" }, "userEmail": { "description": "LDAP attribute for email", "type": "string" }, "userFirstName": { "description": "LDAP attribute for first name", "type": "string" }, "userLastName": { "description": "LDAP attribute for last name", "type": "string" }, "userProfilePicture": { "description": "LDAP attribute for profile picture", "type": "string" }, "userUniqueIdentifier": { "description": "LDAP attribute for immutable user identifier", "type": "string" }, "userUsername": { "description": "LDAP attribute for username", "type": "string" } }, "type": "object", "additionalProperties": false }, "base": { "description": "LDAP search base DN", "type": "string" }, "bindDN": { "description": "LDAP bind distinguished name", "type": "string" }, "bindPassword": { "description": "LDAP bind password", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "skipCertVerify": { "default": false, "description": "Skip LDAP certificate verification", "type": "boolean" }, "softDeleteUsers": { "default": false, "description": "Disable removed LDAP users instead of deleting them", "type": "boolean" }, "url": { "description": "LDAP server connection URL (e.g. ldaps://ldap.example.com)", "type": "string" }, "userGroupSearchFilter": { "description": "LDAP group search filter", "type": "string" }, "userSearchFilter": { "description": "LDAP user search filter", "type": "string" } }, "required": [ "base", "bindDN", "bindPassword", "url" ], "type": "object", "additionalProperties": false }, "livenessProbe": { "description": "Liveness probe configuration", "properties": { "exec": { "description": "Exec specifies a command to execute in the container.", "properties": { "command": { "description": "Command is the command line to execute inside the container, the working directory for the\ncommand is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "failureThreshold": { "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.", "format": "int32", "type": "integer" }, "grpc": { "description": "GRPC specifies a GRPC HealthCheckRequest.", "properties": { "port": { "description": "Port number of the gRPC service. Number must be in the range 1 to 65535.", "format": "int32", "type": "integer" }, "service": { "default": "", "description": "Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.", "type": "string" } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "httpGet": { "description": "HTTPGet specifies an HTTP GET request to perform.", "properties": { "host": { "description": "Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.", "type": "string" }, "httpHeaders": { "description": "Custom headers to set in the request. HTTP allows repeated headers.", "items": { "description": "HTTPHeader describes a custom header to be used in HTTP probes", "properties": { "name": { "description": "The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.", "type": "string" }, "value": { "description": "The header field value", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "path": { "description": "Path to access on the HTTP server.", "type": "string" }, "port": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.", "x-kubernetes-int-or-string": true }, "scheme": { "description": "Scheme to use for connecting to the host.\nDefaults to HTTP.", "type": "string" } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "initialDelaySeconds": { "description": "Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", "format": "int32", "type": "integer" }, "periodSeconds": { "description": "How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.", "format": "int32", "type": "integer" }, "successThreshold": { "description": "Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.", "format": "int32", "type": "integer" }, "tcpSocket": { "description": "TCPSocket specifies a connection to a TCP port.", "properties": { "host": { "description": "Optional: Host name to connect to, defaults to the pod IP.", "type": "string" }, "port": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.", "x-kubernetes-int-or-string": true } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "terminationGracePeriodSeconds": { "description": "Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.", "format": "int64", "type": "integer" }, "timeoutSeconds": { "description": "Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", "format": "int32", "type": "integer" } }, "type": "object", "additionalProperties": false }, "localIPv6Ranges": { "description": "Custom local IPv6 ranges for audit log IP classification (comma-separated CIDRs)", "type": "string" }, "logging": { "description": "Logging configuration", "properties": { "json": { "default": false, "description": "Output logs as JSON", "type": "boolean" }, "level": { "description": "Log level", "enum": [ "debug", "info", "warn", "error" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "metrics": { "description": "Prometheus metrics configuration\nWhen enabled the operator injects the required OTEL environment variables\nand exposes a metrics port on the Service", "properties": { "enabled": { "default": false, "description": "Enables the Prometheus metrics endpoint", "type": "boolean" }, "port": { "default": 9464, "description": "Port for the Prometheus metrics endpoint", "format": "int32", "type": "integer" } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false }, "persistence": { "description": "Configures persistence for Pocket-ID\nNote: Pocket-ID can be run statelessly if using Postgres as a file and db backend\nIf not enabled mounts an emptydir instead", "properties": { "accessModes": { "default": [ "ReadWriteOnce" ], "description": "AccessModes for the PVC", "items": { "type": "string" }, "type": "array" }, "enabled": { "default": false, "description": "Enables mounting a persistent volume", "type": "boolean" }, "existingClaim": { "description": "Name of an existing, externally-managed PVC to mount", "type": "string" }, "size": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "default": "1Gi", "description": "Size of the claim to dynamically provision", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "storageClass": { "description": "Name of storageClass to provision a volume from", "type": "string" } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false }, "podSecurityContext": { "description": "Pod security context", "properties": { "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "fsGroup": { "description": "A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer" }, "fsGroupChangePolicy": { "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer" }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer" }, "seLinuxChangePolicy": { "description": "seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "seLinuxOptions": { "description": "The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in SecurityContext. If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "supplementalGroups": { "description": "A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified). If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "supplementalGroupsPolicy": { "description": "Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "description": "Sysctl defines a kernel parameter to be set", "properties": { "name": { "description": "Name of a property to set", "type": "string" }, "value": { "description": "Value of a property to set", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "readinessProbe": { "description": "Readiness probe configuration", "properties": { "exec": { "description": "Exec specifies a command to execute in the container.", "properties": { "command": { "description": "Command is the command line to execute inside the container, the working directory for the\ncommand is root ('/') in the container's filesystem. The command is simply exec'd, it is\nnot run inside a shell, so traditional shell instructions ('|', etc) won't work. To use\na shell, you need to explicitly call out to that shell.\nExit status of 0 is treated as live/healthy and non-zero is unhealthy.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "failureThreshold": { "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded.\nDefaults to 3. Minimum value is 1.", "format": "int32", "type": "integer" }, "grpc": { "description": "GRPC specifies a GRPC HealthCheckRequest.", "properties": { "port": { "description": "Port number of the gRPC service. Number must be in the range 1 to 65535.", "format": "int32", "type": "integer" }, "service": { "default": "", "description": "Service is the name of the service to place in the gRPC HealthCheckRequest\n(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.", "type": "string" } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "httpGet": { "description": "HTTPGet specifies an HTTP GET request to perform.", "properties": { "host": { "description": "Host name to connect to, defaults to the pod IP. You probably want to set\n\"Host\" in httpHeaders instead.", "type": "string" }, "httpHeaders": { "description": "Custom headers to set in the request. HTTP allows repeated headers.", "items": { "description": "HTTPHeader describes a custom header to be used in HTTP probes", "properties": { "name": { "description": "The header field name.\nThis will be canonicalized upon output, so case-variant names will be understood as the same header.", "type": "string" }, "value": { "description": "The header field value", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "path": { "description": "Path to access on the HTTP server.", "type": "string" }, "port": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Name or number of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.", "x-kubernetes-int-or-string": true }, "scheme": { "description": "Scheme to use for connecting to the host.\nDefaults to HTTP.", "type": "string" } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "initialDelaySeconds": { "description": "Number of seconds after the container has started before liveness probes are initiated.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", "format": "int32", "type": "integer" }, "periodSeconds": { "description": "How often (in seconds) to perform the probe.\nDefault to 10 seconds. Minimum value is 1.", "format": "int32", "type": "integer" }, "successThreshold": { "description": "Minimum consecutive successes for the probe to be considered successful after having failed.\nDefaults to 1. Must be 1 for liveness and startup. Minimum value is 1.", "format": "int32", "type": "integer" }, "tcpSocket": { "description": "TCPSocket specifies a connection to a TCP port.", "properties": { "host": { "description": "Optional: Host name to connect to, defaults to the pod IP.", "type": "string" }, "port": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Number or name of the port to access on the container.\nNumber must be in the range 1 to 65535.\nName must be an IANA_SVC_NAME.", "x-kubernetes-int-or-string": true } }, "required": [ "port" ], "type": "object", "additionalProperties": false }, "terminationGracePeriodSeconds": { "description": "Optional duration in seconds the pod needs to terminate gracefully upon probe failure.\nThe grace period is the duration in seconds after the processes running in the pod are sent\na termination signal and the time when the processes are forcibly halted with a kill signal.\nSet this value longer than the expected cleanup time for your process.\nIf this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this\nvalue overrides the value provided by the pod spec.\nValue must be non-negative integer. The value zero indicates stop immediately via\nthe kill signal (no opportunity to shut down).\nThis is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.\nMinimum value is 1. spec.terminationGracePeriodSeconds is used if unset.", "format": "int64", "type": "integer" }, "timeoutSeconds": { "description": "Number of seconds after which the probe times out.\nDefaults to 1 second. Minimum value is 1.\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", "format": "int32", "type": "integer" } }, "type": "object", "additionalProperties": false }, "resources": { "description": "Resource requests and limits for the container", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "route": { "description": "HTTPRoute configuration\nCreates an HTTPRoute when enabled. Requires Gateway API CRDs to be installed.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Additional annotations for the HTTPRoute", "type": "object" }, "enabled": { "default": false, "description": "Enables creation of an HTTPRoute", "type": "boolean" }, "hostnames": { "description": "Hostnames for the route\nWill be automatically set to the hostname from spec.appUrl if not specified", "items": { "description": "Hostname is the fully qualified domain name of a network host. This matches\nthe RFC 1123 definition of a hostname with 2 notable exceptions:\n\n 1. IPs are not allowed.\n 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard\n label must appear by itself as the first label.\n\nHostname can be \"precise\" which is a domain name without the terminating\ndot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a\ndomain name prefixed with a single wildcard label (e.g. `*.example.com`).\n\nNote that as per RFC1035 and RFC1123, a *label* must consist of lower case\nalphanumeric characters or '-', and must start and end with an alphanumeric\ncharacter. No other punctuation is allowed.", "maxLength": 253, "minLength": 1, "pattern": "^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "type": "array" }, "labels": { "additionalProperties": { "type": "string" }, "description": "Additional labels for the HTTPRoute", "type": "object" }, "name": { "description": "Name override for the HTTPRoute (defaults to instance name)", "type": "string" }, "parentRefs": { "description": "Gateway parent references", "items": { "description": "ParentReference identifies an API object (usually a Gateway) that can be considered\na parent of this resource (usually a route). There are two kinds of parent resources\nwith \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nThis API may be extended in the future to support additional kinds of parent\nresources.\n\nThe API object must be valid in the cluster; the Group and Kind must\nbe registered in the cluster for this reference to be valid.", "properties": { "group": { "default": "gateway.networking.k8s.io", "description": "Group is the group of the referent.\nWhen unspecified, \"gateway.networking.k8s.io\" is inferred.\nTo set the core API group (such as for a \"Service\" kind referent),\nGroup must be explicitly set to \"\" (empty string).\n\nSupport: Core", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Gateway", "description": "Kind is kind of the referent.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nSupport for other resources is Implementation-Specific.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.\n\nSupport: Core", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the referent. When unspecified, this refers\nto the local namespace of the Route.\n\nNote that there are specific rules for ParentRefs which cross namespace\nboundaries. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example:\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable any other kind of cross-namespace reference.\n\n\nParentRefs from a Route to a Service in the same namespace are \"producer\"\nroutes, which apply default routing rules to inbound connections from\nany namespace to the Service.\n\nParentRefs from a Route to a Service in a different namespace are\n\"consumer\" routes, and these routing rules are only applied to outbound\nconnections originating from the same namespace as the Route, for which\nthe intended destination of the connections are a Service targeted as a\nParentRef of the Route.\n\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port is the network port this Route targets. It can be interpreted\ndifferently based on the type of parent resource.\n\nWhen the parent resource is a Gateway, this targets all listeners\nlistening on the specified port that also support this kind of Route(and\nselect this Route). It's not recommended to set `Port` unless the\nnetworking behaviors specified in a Route must apply to a specific port\nas opposed to a listener(s) whose port(s) may be changed. When both Port\nand SectionName are specified, the name and port of the selected listener\nmust match both specified values.\n\n\nWhen the parent resource is a Service, this targets a specific port in the\nService spec. When both Port (experimental) and SectionName are specified,\nthe name and port of the selected port must match both specified values.\n\n\nImplementations MAY choose to support other parent resources.\nImplementations supporting other types of parent resources MUST clearly\ndocument how/if Port is interpreted.\n\nFor the purpose of status, an attachment is considered successful as\nlong as the parent resource accepts it partially. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment\nfrom the referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route,\nthe Route MUST be considered detached from the Gateway.\n\nSupport: Extended", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" }, "sectionName": { "description": "SectionName is the name of a section within the target resource. In the\nfollowing resources, SectionName is interpreted as the following:\n\n* Gateway: Listener name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n* Service: Port name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n\nImplementations MAY choose to support attaching Routes to other resources.\nIf that is the case, they MUST clearly document how SectionName is\ninterpreted.\n\nWhen unspecified (empty string), this will reference the entire resource.\nFor the purpose of status, an attachment is considered successful if at\nleast one section in the parent resource accepts it. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\nthe referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route, the\nRoute MUST be considered detached from the Gateway.\n\nSupport: Core", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "minItems": 1, "type": "array" } }, "required": [ "enabled", "parentRefs" ], "type": "object", "additionalProperties": false }, "s3": { "description": "S3 file backend configuration\nWhen present, FILE_BACKEND is automatically set to \"s3\"", "properties": { "accessKeyId": { "description": "S3 access key ID", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "bucket": { "description": "S3 bucket name", "type": "string" }, "disableDefaultIntegrityChecks": { "default": false, "description": "Disable default S3 integrity checks", "type": "boolean" }, "endpoint": { "description": "S3 endpoint URL (for MinIO, Ceph, or other S3-compatible stores)", "type": "string" }, "forcePathStyle": { "default": false, "description": "Force path-style URLs instead of virtual-hosted-style", "type": "boolean" }, "region": { "description": "S3 region", "type": "string" }, "secretAccessKey": { "description": "S3 secret access key", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "accessKeyId", "bucket", "region", "secretAccessKey" ], "type": "object", "additionalProperties": false }, "smtp": { "description": "SMTP email transport configuration\nWhen present, SMTP is automatically enabled", "properties": { "from": { "description": "Sender email address", "type": "string" }, "host": { "description": "SMTP server hostname", "type": "string" }, "password": { "description": "SMTP authentication password", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value (e.g. secretKeyRef, configMapKeyRef)", "properties": { "configMapKeyRef": { "description": "Selects a key of a ConfigMap.", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the ConfigMap or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fieldRef": { "description": "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,\nspec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.", "properties": { "apiVersion": { "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", "type": "string" }, "fieldPath": { "description": "Path of the field to select in the specified API version.", "type": "string" } }, "required": [ "fieldPath" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "fileKeyRef": { "description": "FileKeyRef selects a key of the env file.\nRequires the EnvFiles feature gate to be enabled.", "properties": { "key": { "description": "The key within the env file. An invalid key will prevent the pod from starting.\nThe keys defined within a source may consist of any printable ASCII characters except '='.\nDuring Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.", "type": "string" }, "optional": { "default": false, "description": "Specify whether the file or its key must be defined. If the file or key\ndoes not exist, then the env var is not published.\nIf optional is set to true and the specified key does not exist,\nthe environment variable will not be set in the Pod's containers.\n\nIf optional is set to false and the specified key does not exist,\nan error will be returned during Pod creation.", "type": "boolean" }, "path": { "description": "The path within the volume from which to select the file.\nMust be relative and may not contain the '..' path or start with '..'.", "type": "string" }, "volumeName": { "description": "The name of the volume mount containing the env file.", "type": "string" } }, "required": [ "key", "path", "volumeName" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceFieldRef": { "description": "Selects a resource of the container: only resources limits and requests\n(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.", "properties": { "containerName": { "description": "Container name: required for volumes, optional for env vars", "type": "string" }, "divisor": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Specifies the output format of the exposed resources, defaults to \"1\"", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "resource": { "description": "Required: resource to select", "type": "string" } }, "required": [ "resource" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretKeyRef": { "description": "Selects a key of a secret in the pod's namespace", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "port": { "description": "SMTP server port", "format": "int32", "type": "integer" }, "skipCertVerify": { "default": false, "description": "Skip certificate verification (for self-signed certs)", "type": "boolean" }, "tls": { "default": "none", "description": "TLS mode for the SMTP connection", "enum": [ "none", "starttls", "tls" ], "type": "string" }, "user": { "description": "SMTP authentication username", "type": "string" } }, "required": [ "from", "host", "port" ], "type": "object", "additionalProperties": false }, "timezone": { "description": "Timezone for the Pocket-ID instance (e.g. \"America/New_York\")\nSets the TZ environment variable", "type": "string" }, "tracing": { "description": "OpenTelemetry tracing configuration\nWhen present, tracing is automatically enabled\nConfigure exporter-specific OTEL_* variables via the env escape hatch", "type": "object" }, "ui": { "description": "UI configuration\nThe operator automatically sets UI_CONFIG_DISABLED=true when this section is configured", "properties": { "accentColor": { "description": "Custom CSS color value for UI accent theme", "type": "string" }, "appName": { "description": "Application display name", "type": "string" }, "disableAnimations": { "default": false, "description": "Turn off UI animations", "type": "boolean" }, "homePageUrl": { "description": "Post-login redirect page", "type": "string" }, "sessionDuration": { "description": "User session timeout in minutes", "format": "int32", "type": "integer" } }, "type": "object", "additionalProperties": false }, "userManagement": { "description": "User registration and account management settings", "properties": { "allowOwnAccountEdit": { "description": "Allow users to edit their own account details", "type": "boolean" }, "allowUserSignups": { "description": "User signup mode", "enum": [ "disabled", "withToken", "open" ], "type": "string" }, "emailsVerified": { "default": false, "description": "Auto-verify emails on signup or change", "type": "boolean" }, "signupDefaultCustomClaims": { "description": "Default custom claims to assign to new users (JSON array)", "type": "string" }, "signupDefaultUserGroupIds": { "description": "Default user group IDs to assign to new users", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "versionCheckDisabled": { "default": false, "description": "Disable GitHub version checks", "type": "boolean" } }, "required": [ "encryptionKey" ], "type": "object", "x-kubernetes-validations": [ { "message": "deploymentType is immutable", "rule": "self.deploymentType == oldSelf.deploymentType" }, { "message": "fileBackend must be 's3' (or unset) when s3 config is present", "rule": "!has(self.s3) || !has(self.fileBackend) || self.fileBackend == 's3'" }, { "message": "encryptionKey value must be at least 16 characters", "rule": "!has(self.encryptionKey.value) || size(self.encryptionKey.value) == 0 || size(self.encryptionKey.value) >= 16" } ], "additionalProperties": false } } } }, "users": { "type": "array", "description": "List of PocketIDUser custom resources to create", "default": [], "items": { "type": "object", "required": [ "name" ], "additionalProperties": false, "properties": { "name": { "type": "string", "description": "Name of the PocketIDUser resource" }, "labels": { "type": "object", "description": "Additional labels for the PocketIDUser resource", "additionalProperties": { "type": "string" } }, "annotations": { "type": "object", "description": "Additional annotations for the PocketIDUser resource", "additionalProperties": { "type": "string" } }, "spec": { "description": "spec defines the desired state of PocketIDUser", "properties": { "admin": { "default": false, "description": "Flag whether a user is an admin or not", "type": "boolean" }, "apiKeys": { "description": "APIKeys is a list of API keys to create for this user", "items": { "description": "APIKeySpec defines the desired state of an API key", "properties": { "description": { "default": "Created by pocket-id-operator", "description": "Description of the API key", "type": "string" }, "expiresAt": { "description": "ExpiresAt is the expiration time in RFC3339 format (e.g., \"2030-01-01T00:00:00Z\")\nDefaults to 1 year in the future", "type": "string" }, "name": { "description": "Name of the API key (3-50 characters)", "maxLength": 50, "minLength": 3, "type": "string" }, "secretRef": { "description": "SecretRef references an existing Secret containing the API key token\nIf set, the operator will use this secret instead of creating a new one", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "disabled": { "default": false, "description": "Disabled indicates whether the user account is disabled", "type": "boolean" }, "displayName": { "description": "DisplayName of the user\nDefaults to \"spec.FirstName spec.LastName\"", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value from a secret", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "email": { "description": "Email of the user\nCan be a plain value or reference a secret\nRequired unless email is disabled in pocket-id", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value from a secret", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "firstName": { "description": "First name of the user\nCan be a plain value or reference a secret\nDefaults to metadata.name of the Resource", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value from a secret", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "instanceSelector": { "description": "InstanceSelector selects the PocketIDInstance to reconcile against.\nIf omitted, the controller expects exactly one instance in the cluster.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "lastName": { "description": "Last name of the user\nCan be a plain value or reference a secret", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value from a secret", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "locale": { "description": "Locale is the user's preferred locale (e.g., \"en\", \"de\", \"fr\")", "type": "string" }, "userInfoSecretRef": { "description": "UserInfoSecretRef references a single Secret containing sensitive user profile fields.\nValues from the secret are evaluated last, so spec.username will override the username key in this secret\nKeys: username, firstName, lastName, email, displayName", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "username": { "description": "Username of the user. Defaults to the metadata.name\nCan be a plain value or reference a secret", "properties": { "value": { "description": "Plain text value", "type": "string" }, "valueFrom": { "description": "Source for the value from a secret", "properties": { "key": { "description": "The key of the secret to select from. Must be a valid secret key.", "type": "string" }, "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "optional": { "description": "Specify whether the Secret or its key must be defined", "type": "boolean" } }, "required": [ "key" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } } } }, "userGroups": { "type": "array", "description": "List of PocketIDUserGroup custom resources to create", "default": [], "items": { "type": "object", "required": [ "name" ], "additionalProperties": false, "properties": { "name": { "type": "string", "description": "Name of the PocketIDUserGroup resource" }, "labels": { "type": "object", "description": "Additional labels for the PocketIDUserGroup resource", "additionalProperties": { "type": "string" } }, "annotations": { "type": "object", "description": "Additional annotations for the PocketIDUserGroup resource", "additionalProperties": { "type": "string" } }, "spec": { "description": "spec defines the desired state of PocketIDUserGroup", "properties": { "allowedOIDCClients": { "description": "AllowedOIDCClients lists PocketIDOIDCClient CRs that this group grants access to.\nThe final set of allowed clients is the union of this field and any\nOIDCClients that reference this group in their allowedUserGroups.", "items": { "description": "NamespacedOIDCClientReference references a PocketIDOIDCClient by name and namespace.", "properties": { "name": { "description": "Name is the name of the PocketIDOIDCClient CR", "type": "string" }, "namespace": { "description": "Namespace is the namespace of the PocketIDOIDCClient CR\nDefaults to the referencing resource's namespace", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "customClaims": { "description": "CustomClaims are additional claims to attach to users in this group", "items": { "description": "CustomClaim defines a custom claim key/value pair for a user group.", "properties": { "key": { "description": "Key is the claim key", "type": "string" }, "value": { "description": "Value is the claim value", "type": "string" } }, "required": [ "key", "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "friendlyName": { "description": "FriendlyName is the display name for the user group", "maxLength": 50, "minLength": 2, "type": "string" }, "instanceSelector": { "description": "InstanceSelector selects the PocketIDInstance to reconcile against.\nIf omitted, the controller expects exactly one instance in the cluster.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "name": { "description": "Name of the user group. Defaults to the metadata.name", "maxLength": 255, "minLength": 2, "type": "string" }, "users": { "description": "Users defines the users to add to this group", "properties": { "userIDs": { "description": "UserIDs are Pocket-ID user IDs to add directly to this group.", "items": { "type": "string" }, "type": "array" }, "userRefs": { "description": "UserRefs are PocketIDUser custom resources to add to this group", "items": { "description": "NamespacedUserReference references a PocketIDUser by name and namespace.", "properties": { "name": { "description": "Name is the name of the PocketIDUser CR", "type": "string" }, "namespace": { "description": "Namespace is the namespace of the PocketIDUser CR\nDefaults to the referencing resource's namespace", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "usernames": { "description": "Usernames are Pocket-ID usernames to add to this group.\nThe controller will look up the user ID from Pocket-ID by username.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } } } }, "operator": { "type": "object", "additionalProperties": false, "description": "Operator deployment configuration", "properties": { "replicas": { "type": "integer", "description": "Number of operator replicas", "default": 1, "minimum": 1 }, "image": { "type": "object", "additionalProperties": false, "properties": { "repository": { "type": "string", "description": "Operator image repository", "default": "ghcr.io/aclerici38/pocket-id-operator" }, "tag": { "type": "string", "description": "Operator image tag (defaults to Chart.appVersion)", "default": "" }, "pullPolicy": { "type": "string", "description": "Image pull policy", "enum": [ "Always", "IfNotPresent", "Never" ], "default": "IfNotPresent" } } }, "args": { "type": "array", "description": "Additional arguments for the operator container", "items": { "type": "string" }, "default": [] }, "env": { "type": "array", "description": "Additional environment variables for the operator container", "items": { "type": "object" }, "default": [] }, "podSecurityContext": { "type": "object", "description": "Pod-level security context for the operator" }, "securityContext": { "type": "object", "description": "Container-level security context for the operator" }, "resources": { "type": "object", "description": "Resource requests and limits for the operator container" }, "autoGenerateLogos": { "type": "boolean", "description": "Auto-generate logo URLs for OIDC clients from templates. Set to false to make it opt-in per client.", "default": true }, "defaultLogoUrl": { "type": "string", "description": "Default URL template for light logos. Use {{name}} as placeholder. Defaults to the dashboard-icons CDN." }, "defaultDarkLogoUrl": { "type": "string", "description": "Default URL template for dark logos. Use {{name}} as placeholder. Defaults to the dashboard-icons CDN." } } }, "metrics": { "type": "object", "additionalProperties": false, "description": "Operator metrics configuration", "properties": { "enabled": { "type": "boolean", "description": "Enable the operator metrics endpoint", "default": false }, "port": { "type": "integer", "description": "Port for the operator metrics endpoint", "default": 8080 }, "serviceMonitor": { "type": "object", "additionalProperties": false, "description": "ServiceMonitor for the operator metrics", "properties": { "enabled": { "type": "boolean", "description": "Create a ServiceMonitor for the operator metrics", "default": false } } }, "prometheusRule": { "type": "object", "additionalProperties": false, "description": "PrometheusRule for operator alerting (created automatically when CRD is available)", "properties": { "enabled": { "type": "boolean", "description": "Create a PrometheusRule with default alerting rules", "default": true }, "labels": { "type": "object", "description": "Additional labels for the PrometheusRule resource", "additionalProperties": { "type": "string" } }, "additionalRules": { "type": "array", "description": "Additional alerting rules appended to the default set", "items": { "type": "object" } } } }, "dashboard": { "type": "object", "additionalProperties": false, "description": "Grafana dashboard ConfigMap and optional GrafanaDashboard CRD", "properties": { "enabled": { "type": "boolean", "description": "Create a ConfigMap containing the Grafana dashboard JSON", "default": false }, "labels": { "type": "object", "description": "Additional labels for the dashboard ConfigMap for grafana sidecar to import", "additionalProperties": { "type": "string" }, "default": { "grafana_dashboard": "1" } }, "grafanaDashboard": { "type": "object", "additionalProperties": false, "description": "GrafanaDashboard CRD configuration (created automatically when dashboard is enabled and grafana-operator CRD is available)", "properties": { "enabled": { "type": "boolean", "description": "Create a GrafanaDashboard resource when the CRD is available (set to false to explicitly disable)", "default": true }, "allowCrossNamespaceImport": { "type": "boolean", "description": "Allow Grafana instances in other namespaces to import this dashboard", "default": true }, "instanceSelector": { "type": "object", "additionalProperties": false, "description": "Label selector to target a specific Grafana instance", "properties": { "matchLabels": { "type": "object", "description": "Labels to match against Grafana instances", "additionalProperties": { "type": "string" } } } } } } } } } } } }