andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/confluent/confluent-for-kubernetes/0.1033.3/crds/platform.confluent.io_contr...

6394 lines
390 KiB
YAML
Raw Normal View History

Added chart versions: confluent/confluent-for-kubernetes: - 0.1033.3 jenkins/jenkins: - 5.5.0 kubecost/cost-analyzer: - 2.3.4 new-relic/nri-bundle: - 5.0.88 speedscale/speedscale-operator: - 2.2.231 traefik/traefik: - 30.0.2
2024-07-31 00:42:36 +00:00
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: controlcenters.platform.confluent.io
spec:
group: platform.confluent.io
names:
categories:
- all
- confluent-platform
- confluent
kind: ControlCenter
listKind: ControlCenterList
plural: controlcenters
shortNames:
- controlcenter
- c3
singular: controlcenter
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.replicas
name: Replicas
type: string
- jsonPath: .status.readyReplicas
name: Ready
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.kafka.bootstrapEndpoint
name: Kafka
priority: 1
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ControlCenter is the schema for the Control Center API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec defines the desired state of the Control Center cluster.
properties:
authentication:
description: authentication specifies the authentication configurations.
properties:
basic:
description: basic specifies the configuration for basic authentication.
properties:
debug:
description: debug enables the basic authentication debug
logs for JaaS configuration.
type: boolean
directoryPathInContainer:
description: |-
directoryPathInContainer allows to pass the basic credential through a directory path in the container.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
minLength: 1
type: string
restrictedRoles:
description: |-
restrictedRoles specify the restricted roles on the server side only.
Changes will be only reflected in Control Center.
This configuration is ignored on the client side configuration.
items:
type: string
minItems: 1
type: array
roles:
description: |-
roles specify the roles on the server side only.
This configuration is ignored on the client side configuration.
items:
type: string
type: array
secretRef:
description: |-
secretRef defines secret reference to pass the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
ldap:
description: ldap specifies the configuration for Control Center
LDAP authentication.
properties:
debug:
description: debug enables basic authentication debug logs
for JaaS configuration.
type: boolean
property:
additionalProperties:
type: string
description: |-
property is a map of string key and value pairs that specifies the LDAP configuration.
Use a secret object to pass username/password.
type: object
x-kubernetes-map-type: granular
restrictedRoles:
description: restrictedRoles specify the restricted access
roles.
items:
type: string
minItems: 1
type: array
roles:
description: roles specify the roles on the server side only.
items:
type: string
minItems: 1
type: array
secretRef:
description: |-
secretRef references the secret to pass required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#ldap-authentication-for-c3
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
type:
description: type specifies the authentication type of the Control
Center. Valid options are `basic`, `ldap`, and `mtls`.
enum:
- basic
- ldap
- mtls
type: string
required:
- type
type: object
authorization:
description: authorization specifies the authorization configurations.
properties:
kafkaRestClassRef:
description: |-
kafkaRestClassRef references the KafkaRestClass
which specifies the Kafka REST API connection configuration.
properties:
name:
description: name specifies the name of the KafkaRestClass
application resource.
minLength: 1
type: string
namespace:
description: namespace specifies the namespace of the KafkaRestClass.
type: string
required:
- name
type: object
type:
description: type specifies the client-side authorization type.
The valid option is `rbac`.
enum:
- rbac
type: string
required:
- type
type: object
configOverrides:
description: configOverrides specifies the configs to override the
server, JVM, Log4j properties for the Control Center.
properties:
jvm:
description: |-
jvm is a list of JVM configuration supported by the Confluent Platform component.
This will either add or update the existing configuration.
items:
type: string
type: array
log4j:
description: |-
log4j is a list of Log4J configuration supported by the Confluent Platform component.
This will either add or update the existing configuration.
items:
type: string
type: array
server:
description: |-
server is a list of server configuration supported by the Confluent Platform component.
This will either add or update existing configuration.
items:
type: string
type: array
type: object
dataVolumeCapacity:
anyOf:
- type: integer
- type: string
description: dataVolumeCapacity specifies the data size for the persistent
volume.
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
dependencies:
description: dependencies specify the dependencies configurations.
properties:
connect:
description: connect defines the Connect worker dependency configurations.
items:
description: ControlCenterConnectDependency defines the Connect
dependency settings.
properties:
authentication:
description: authentication specifies the authentication
configuration for the Connect cluster.
properties:
basic:
description: basic specifies the configuration for basic
authentication.
properties:
debug:
description: debug enables the basic authentication
debug logs for JaaS configuration.
type: boolean
directoryPathInContainer:
description: |-
directoryPathInContainer allows to pass the basic credential through a directory path in the container.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
minLength: 1
type: string
restrictedRoles:
description: |-
restrictedRoles specify the restricted roles on the server side only.
Changes will be only reflected in Control Center.
This configuration is ignored on the client side configuration.
items:
type: string
minItems: 1
type: array
roles:
description: |-
roles specify the roles on the server side only.
This configuration is ignored on the client side configuration.
items:
type: string
type: array
secretRef:
description: |-
secretRef defines secret reference to pass the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauth:
description: OAuth specifies the configuration for OAuth
authentication.
properties:
configuration:
description: configuration specifies the OAuth server
settings.
properties:
audience:
description: audience specifies the audience
claim in the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the expected
issuer in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the name
of claim in token for identifying the groups
of subject in the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets connect
timeout with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read timeout
with IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets max
retry backoff with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry
backoff with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name of
claim in JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
directoryPathInContainer:
description: directoryPathInContainer allows to
pass the basic credential through a directory
path in the container.
minLength: 1
type: string
secretRef:
description: secretRef defines secret reference
to pass the required credentials.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- configuration
type: object
type:
description: type specifies the authentication scheme
for the REST API client. Valid options are `basic`
and `mtls`.
enum:
- basic
- mtls
- oauth
type: string
required:
- type
type: object
name:
description: name specifies the Connect cluster name.
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
tls:
description: tls specifies the client-side TLS setting for
the Connect cluster.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS configuration
for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
url:
description: url specifies the URL endpoint of the Connect
cluster.
minLength: 1
pattern: ^https?://.*
type: string
required:
- name
- url
type: object
type: array
kafka:
description: kafka defines the Kafka dependency configurations.
properties:
authentication:
description: authentication defines the authentication for
the Kafka cluster.
properties:
jaasConfig:
description: jaasConfig specifies the Kafka client-side
JaaS configuration.
properties:
secretRef:
description: |-
secretRef references the secret containing the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
jaasConfigPassThrough:
description: jaasConfigPassThrough specifies another way
to provide the Kafka client-side JaaS configuration.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
More info: https://docs.confluent.io/operator/current/co-authenticate.html
minLength: 1
type: string
secretRef:
description: |-
secretRef references the secret containing the required credentials for authentication.
More info: https://docs.confluent.io/operator/current/co-authenticate.html
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauthSettings:
description: |-
oauthSettings specifies the OAuth settings.
This needs to passed with the authentication type `oauth`.
properties:
audience:
description: audience specifies the audience claim
in the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the expected
issuer in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the name of
claim in token for identifying the groups of subject
in the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets connect timeout
with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read timeout
with IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets max retry
backoff with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry backoff
with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name of claim
in JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
oauthbearer:
description: |-
oauthbearer is the authentication mechanism to provider principals.
Only supported in RBAC deployment.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container
where the credential is mounted.
minLength: 1
type: string
secretRef:
description: |-
secretRef specifies the name of the secret that contains the credential.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
type:
description: |-
type specifies the Kafka client authentication type.
Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
enum:
- plain
- oauthbearer
- digest
- mtls
- oauth
type: string
required:
- type
type: object
bootstrapEndpoint:
description: bootstrapEndpoint specifies the Kafka bootstrap
endpoint.
minLength: 1
pattern: .+:[0-9]+
type: string
discovery:
description: discovery specifies the capability to discover
the Kafka cluster.
properties:
name:
description: name is the name of the Confluent Platform
component cluster.
type: string
namespace:
description: |-
namespace is where the Confluent Platform component is running.
The default value is the namespace where CFK is running.
type: string
secretRef:
description: secretRef is the name of the secret used
to discover the Confluent Platform component.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
tls:
description: tls defines the client-side TLS setting for the
Kafka cluster.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS configuration
for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
type: object
ksqldb:
description: ksqldb defines the ksqlDB dependency configurations.
items:
description: ControlCenterKSQLDependency defines the ksqlDB
dependency settings.
properties:
advertisedUrl:
description: advertisedUrl specifies the advertised URL
to use in the browser.
minLength: 1
pattern: ^https?://.*
type: string
authentication:
description: authentication specifies the authentication
for the ksqlDB cluster.
properties:
basic:
description: basic specifies the configuration for basic
authentication.
properties:
debug:
description: debug enables the basic authentication
debug logs for JaaS configuration.
type: boolean
directoryPathInContainer:
description: |-
directoryPathInContainer allows to pass the basic credential through a directory path in the container.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
minLength: 1
type: string
restrictedRoles:
description: |-
restrictedRoles specify the restricted roles on the server side only.
Changes will be only reflected in Control Center.
This configuration is ignored on the client side configuration.
items:
type: string
minItems: 1
type: array
roles:
description: |-
roles specify the roles on the server side only.
This configuration is ignored on the client side configuration.
items:
type: string
type: array
secretRef:
description: |-
secretRef defines secret reference to pass the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauth:
description: OAuth specifies the configuration for OAuth
authentication.
properties:
configuration:
description: configuration specifies the OAuth server
settings.
properties:
audience:
description: audience specifies the audience
claim in the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the expected
issuer in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the name
of claim in token for identifying the groups
of subject in the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets connect
timeout with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read timeout
with IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets max
retry backoff with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry
backoff with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name of
claim in JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
directoryPathInContainer:
description: directoryPathInContainer allows to
pass the basic credential through a directory
path in the container.
minLength: 1
type: string
secretRef:
description: secretRef defines secret reference
to pass the required credentials.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- configuration
type: object
type:
description: type specifies the authentication scheme
for the REST API client. Valid options are `basic`
and `mtls`.
enum:
- basic
- mtls
- oauth
type: string
required:
- type
type: object
name:
description: name specifies the ksqlDB cluster name.
minLength: 1
type: string
tls:
description: tls specifies the client-side TLS setting for
the ksqlDB cluster.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS configuration
for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
url:
description: url specifies the URL endpoint of the ksqlDB
cluster.
minLength: 1
pattern: ^https?://.*
type: string
required:
- name
- url
type: object
type: array
mds:
description: mds defines the RBAC dependency configurations.
properties:
authentication:
description: authentication specifies the client side authentication
configuration for the MDS.
properties:
bearer:
description: bearer specifies the bearer authentication
settings.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container
where the credential is mounted.
minLength: 1
type: string
secretRef:
description: |-
secretRef specifies the name of the secret that contains the credential.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauth:
description: oauth specifies the OAuth authentication
settings.
properties:
configuration:
description: configuration specifies the OAuth server
settings.
properties:
audience:
description: audience specifies the audience claim
in the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the expected
issuer in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the name
of claim in token for identifying the groups
of subject in the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets connect
timeout with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read timeout
with IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets max retry
backoff with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry backoff
with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name of claim
in JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
directoryPathInContainer:
description: directoryPathInContainer allows to pass
the basic credential through a directory path in
the container.
minLength: 1
type: string
secretRef:
description: secretRef defines secret reference to
pass the required credentials.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- configuration
type: object
type:
description: type specifies the authentication method
for the MDS. The valid option is `bearer`, `oauth`.
enum:
- bearer
- oauth
type: string
required:
- type
type: object
endpoint:
description: endpoint specifies the MDS endpoint.
minLength: 1
pattern: ^https?://.*
type: string
ssoProtocol:
description: sso protocol, valid options are ldap and oidc.
enum:
- ldap
- oidc
type: string
tls:
description: ClientTLSConfig specifies the TLS configuration
for the Confluent component (dependencies, listeners).
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS configuration
for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
tokenKeyPair:
description: tokenKeyPair specifies the token keypair to configure
the MDS.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer defines the directory path in the container
where the MDS token key pair are mounted.
minLength: 1
type: string
encryptedTokenKey:
description: |-
EncryptedTokenKey boolean value indicating whether the tokenKeypair(private used for signing) is encrypted using a passphrase. If true, cfk
operator will look for a file named mdsTokenKeyPassphrase.txt containing key value pair
mdsTokenKeyPassphrase=<passphrase>. Relevant only for mds server. Ignored if set for a client configuration.
type: boolean
secretRef:
description: secretRef references the name of the secret
that contains the MDS token key pair.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
required:
- authentication
- endpoint
- tokenKeyPair
type: object
schemaRegistry:
description: schemaRegistry defines the Schema Registry dependency
configurations.
properties:
authentication:
description: authentication specifies the authentication for
the Schema Registry cluster.
properties:
basic:
description: basic specifies the configuration for basic
authentication.
properties:
debug:
description: debug enables the basic authentication
debug logs for JaaS configuration.
type: boolean
directoryPathInContainer:
description: |-
directoryPathInContainer allows to pass the basic credential through a directory path in the container.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
minLength: 1
type: string
restrictedRoles:
description: |-
restrictedRoles specify the restricted roles on the server side only.
Changes will be only reflected in Control Center.
This configuration is ignored on the client side configuration.
items:
type: string
minItems: 1
type: array
roles:
description: |-
roles specify the roles on the server side only.
This configuration is ignored on the client side configuration.
items:
type: string
type: array
secretRef:
description: |-
secretRef defines secret reference to pass the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauth:
description: OAuth specifies the configuration for OAuth
authentication.
properties:
configuration:
description: configuration specifies the OAuth server
settings.
properties:
audience:
description: audience specifies the audience claim
in the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the expected
issuer in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the name
of claim in token for identifying the groups
of subject in the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets connect
timeout with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read timeout
with IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets max retry
backoff with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry backoff
with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name of claim
in JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
directoryPathInContainer:
description: directoryPathInContainer allows to pass
the basic credential through a directory path in
the container.
minLength: 1
type: string
secretRef:
description: secretRef defines secret reference to
pass the required credentials.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- configuration
type: object
type:
description: type specifies the authentication scheme
for the REST API client. Valid options are `basic` and
`mtls`.
enum:
- basic
- mtls
- oauth
type: string
required:
- type
type: object
clusters:
items:
description: ControlCenterMultiSchemaRegistryDependency
defines the Schema Registry dependency List.
properties:
authentication:
description: authentication specifies the authentication
for the Schema Registry cluster.
properties:
basic:
description: basic specifies the configuration for
basic authentication.
properties:
debug:
description: debug enables the basic authentication
debug logs for JaaS configuration.
type: boolean
directoryPathInContainer:
description: |-
directoryPathInContainer allows to pass the basic credential through a directory path in the container.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
minLength: 1
type: string
restrictedRoles:
description: |-
restrictedRoles specify the restricted roles on the server side only.
Changes will be only reflected in Control Center.
This configuration is ignored on the client side configuration.
items:
type: string
minItems: 1
type: array
roles:
description: |-
roles specify the roles on the server side only.
This configuration is ignored on the client side configuration.
items:
type: string
type: array
secretRef:
description: |-
secretRef defines secret reference to pass the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauth:
description: OAuth specifies the configuration for
OAuth authentication.
properties:
configuration:
description: configuration specifies the OAuth
server settings.
properties:
audience:
description: audience specifies the audience
claim in the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the
expected issuer in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the
name of claim in token for identifying
the groups of subject in the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets
connect timeout with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read
timeout with IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets
max retry backoff with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry
backoff with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name
of claim in JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
directoryPathInContainer:
description: directoryPathInContainer allows
to pass the basic credential through a directory
path in the container.
minLength: 1
type: string
secretRef:
description: secretRef defines secret reference
to pass the required credentials.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- configuration
type: object
type:
description: type specifies the authentication scheme
for the REST API client. Valid options are `basic`
and `mtls`.
enum:
- basic
- mtls
- oauth
type: string
required:
- type
type: object
name:
description: name defines the Schema Registry cluster
name.
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
tls:
description: tls defines the client-side TLS setting
for the Schema Registry cluster.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS
configuration for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
url:
description: url specifies the URL endpoint of the Schema
Registry cluster.
minLength: 1
pattern: ^https?://.*
type: string
required:
- name
- url
type: object
type: array
tls:
description: tls defines the client-side TLS setting for the
Schema Registry cluster.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS configuration
for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
url:
description: url specifies the URL endpoint of the Schema
Registry cluster.
minLength: 1
pattern: ^https?://.*
type: string
required:
- url
type: object
type: object
externalAccess:
description: externalAccess specifies the external access configuration
for the Control Center cluster.
properties:
loadBalancer:
description: loadBalancer specifies the configuration to create
a Kubernetes load balancer service.
properties:
advertisedURL:
description: |-
advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
set to: `<httpSchema>://<advertisedUrl.prefix><podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
the external DNS must be resolved inside the Kubernetes cluster.
This configuration will not take effect if MDS enabled dual listener setup.
properties:
enabled:
description: |-
enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
Has no effect with Zookeeper, which will always create a listener per pod.
type: boolean
prefix:
description: |-
prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
It uses 'zookeeper' as default prefix for Zookeeper in the same way.
minLength: 1
type: string
required:
- enabled
type: object
annotations:
additionalProperties:
type: string
description: annotations is a map of string key and value
pairs. It specifies Kubernetes annotations for this service.
type: object
x-kubernetes-map-type: granular
domain:
description: domain is the domain name of the component cluster.
minLength: 1
type: string
externalTrafficPolicy:
description: externalTrafficPolicy specifies the external
traffic policy for the service. Valid options are `Local`
and `Cluster`.
enum:
- Local
- Cluster
type: string
labels:
additionalProperties:
type: string
description: labels is a map of string key and value pairs.
It specifies Kubernetes labels for this service.
type: object
x-kubernetes-map-type: granular
loadBalancerSourceRanges:
description: loadBalancerSourceRanges specify the source ranges.
items:
type: string
type: array
port:
description: |-
port specifies the external port for the client consumption.
If not configured, the same internal/external port is configured for the component.
Information about the port can be retrieved through the status API.
format: int32
type: integer
prefix:
description: |-
prefix specify the prefix for the given domain.
The default value is the name of the cluster.
minLength: 1
type: string
servicePorts:
description: servicePorts specify the user-provided service
port(s).
items:
description: ServicePort contains information on service's
port.
properties:
appProtocol:
description: |-
The application protocol for this port.
This is used as a hint for implementations to offer richer behavior for protocols that they understand.
This field follows standard Kubernetes label syntax.
Valid values are either:
* Un-prefixed protocol names - reserved for IANA standard service names (as per
RFC-6335 and https://www.iana.org/assignments/service-names).
* Kubernetes-defined prefixed names:
* 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
* 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
* 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
* Other protocols should use implementation-defined prefixed names such as
mycompany.com/my-custom-protocol.
type: string
name:
description: |-
The name of this port within the service. This must be a DNS_LABEL.
All ports within a ServiceSpec must have unique names. When considering
the endpoints for a Service, this must match the 'name' field in the
EndpointPort.
Optional if only one ServicePort is defined on this service.
type: string
nodePort:
description: |-
The port on each node on which this service is exposed when type is
NodePort or LoadBalancer. Usually assigned by the system. If a value is
specified, in-range, and not in use it will be used, otherwise the
operation will fail. If not specified, a port will be allocated if this
Service requires one. If this field is specified when creating a
Service which does not need it, creation will fail. This field will be
wiped when updating a Service to no longer need it (e.g. changing type
from NodePort to ClusterIP).
More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
format: int32
type: integer
port:
description: The port that will be exposed by this service.
format: int32
type: integer
protocol:
default: TCP
description: |-
The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
Default is TCP.
type: string
targetPort:
anyOf:
- type: integer
- type: string
description: |-
Number or name of the port to access on the pods targeted by the service.
Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
If this is a string, it will be looked up as a named port in the
target Pod's container ports. If this is not specified, the value
of the 'port' field is used (an identity map).
This field is ignored for services with clusterIP=None, and should be
omitted or set equal to the 'port' field.
More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
x-kubernetes-int-or-string: true
required:
- port
type: object
type: array
sessionAffinity:
description: |-
sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
The default value is `None`.
More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
enum:
- ClientIP
- None
type: string
sessionAffinityConfig:
description: SessionAffinityConfig contains the configurations
of the session affinity.
properties:
clientIP:
description: clientIP contains the configurations of Client
IP based session affinity.
properties:
timeoutSeconds:
description: |-
timeoutSeconds specifies the seconds of ClientIP type session sticky time.
The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
Default value is 10800(for 3 hours).
format: int32
type: integer
type: object
type: object
required:
- domain
type: object
nodePort:
description: nodePort specifies the configuration to create a
Kubernetes node port service.
properties:
advertisedURL:
description: |-
advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
set to `<httpSchema>://<host>:<nodePortOffset + podId + 1>, where`podId` starts from `0` to `replicaCount - 1`.
This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
the external DNS must be resolved inside the Kubernetes cluster.
properties:
enabled:
description: |-
enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
Has no effect with Zookeeper, which will always create a listener per pod.
type: boolean
prefix:
description: |-
prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
It uses 'zookeeper' as default prefix for Zookeeper in the same way.
minLength: 1
type: string
required:
- enabled
type: object
annotations:
additionalProperties:
type: string
description: annotations is a map of string key and value
pairs. It specifies Kubernetes annotations for this service.
type: object
x-kubernetes-map-type: granular
externalTrafficPolicy:
description: |-
externalTrafficPolicy specifies the external traffic policy for the service.
Valid options are `Local` and `Cluster`.
enum:
- Local
- Cluster
type: string
host:
description: host defines the host name of the cluster.
minLength: 1
type: string
labels:
additionalProperties:
type: string
description: labels is a map of string key and value pairs.
It specifies Kubernetes labels for this service.
type: object
x-kubernetes-map-type: granular
nodePortOffset:
description: |-
nodePortOffset specifies the starting offset of the node ports. The port numbers go in ascending order with respect
to the replicas count.
NodePort service creation fails if the node port is not in the range supported by the Kubernetes API server.
The default Kubernetes Node Port range is `30000` - `32762`.
format: int32
minimum: 0
type: integer
servicePorts:
description: |-
servicePorts specify user-provided service port(s).
For Kafka with the nodePort type, this setting is only applied to Kafka bootstrap service.
items:
description: ServicePort contains information on service's
port.
properties:
appProtocol:
description: |-
The application protocol for this port.
This is used as a hint for implementations to offer richer behavior for protocols that they understand.
This field follows standard Kubernetes label syntax.
Valid values are either:
* Un-prefixed protocol names - reserved for IANA standard service names (as per
RFC-6335 and https://www.iana.org/assignments/service-names).
* Kubernetes-defined prefixed names:
* 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-
* 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455
* 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455
* Other protocols should use implementation-defined prefixed names such as
mycompany.com/my-custom-protocol.
type: string
name:
description: |-
The name of this port within the service. This must be a DNS_LABEL.
All ports within a ServiceSpec must have unique names. When considering
the endpoints for a Service, this must match the 'name' field in the
EndpointPort.
Optional if only one ServicePort is defined on this service.
type: string
nodePort:
description: |-
The port on each node on which this service is exposed when type is
NodePort or LoadBalancer. Usually assigned by the system. If a value is
specified, in-range, and not in use it will be used, otherwise the
operation will fail. If not specified, a port will be allocated if this
Service requires one. If this field is specified when creating a
Service which does not need it, creation will fail. This field will be
wiped when updating a Service to no longer need it (e.g. changing type
from NodePort to ClusterIP).
More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
format: int32
type: integer
port:
description: The port that will be exposed by this service.
format: int32
type: integer
protocol:
default: TCP
description: |-
The IP protocol for this port. Supports "TCP", "UDP", and "SCTP".
Default is TCP.
type: string
targetPort:
anyOf:
- type: integer
- type: string
description: |-
Number or name of the port to access on the pods targeted by the service.
Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
If this is a string, it will be looked up as a named port in the
target Pod's container ports. If this is not specified, the value
of the 'port' field is used (an identity map).
This field is ignored for services with clusterIP=None, and should be
omitted or set equal to the 'port' field.
More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
x-kubernetes-int-or-string: true
required:
- port
type: object
type: array
sessionAffinity:
description: |-
sessionAffinity defines the Kubernetes session affinity. The valid options are `ClientIP` and `None`. `ClientIP` enables the client IP-based session affinity.
The default value is `None`.
More info: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity.
enum:
- ClientIP
- None
type: string
sessionAffinityConfig:
description: SessionAffinityConfig contains the configurations
of the session affinity.
properties:
clientIP:
description: clientIP contains the configurations of Client
IP based session affinity.
properties:
timeoutSeconds:
description: |-
timeoutSeconds specifies the seconds of ClientIP type session sticky time.
The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
Default value is 10800(for 3 hours).
format: int32
type: integer
type: object
type: object
required:
- host
- nodePortOffset
type: object
route:
description: route specifies the configuration to create a route
service in OpenShift.
properties:
advertisedURL:
description: |-
advertisedURL specifies the configuration for advertised listener per pod. It is only supported for MDS currently.
If it is enabled, instead of using internal endpoint, the MDS advertised listener for each broker will be
set to: `<httpSchema>://<advertisedUrl.prefix>-http-external<podId>.<domain>` where podId starts from `0` to `replicaCount -1`.
This is only recommended if you cannot add internal SANs to the TLS certificates for MDS and
the external DNS must be resolved inside the Kubernetes cluster.
This configuration will not take effect if MDS enabled dual listener setup.
properties:
enabled:
description: |-
enabled indicates whether to set the MDS advertised listener url with external endpoint for each broker.
Has no effect with Zookeeper, which will always create a listener per pod.
type: boolean
prefix:
description: |-
prefix specifies the broker prefix for MDS/Zookeeper advertised endpoint.
If not configured, it uses `b` as default prefix for MDS, such as `b#.domain` where `#` will start from `0` to `replicaCount -1`.
It uses 'zookeeper' as default prefix for Zookeeper in the same way.
minLength: 1
type: string
required:
- enabled
type: object
annotations:
additionalProperties:
type: string
description: annotations is a map of string key and value
pairs. It specifies Kubernetes annotations for this service.
type: object
x-kubernetes-map-type: granular
domain:
description: domain specifies the domain name of the Confluent
component cluster.
minLength: 1
type: string
labels:
additionalProperties:
type: string
description: labels is a map of string key and value pairs.
It specifies Kubernetes labels for this service.
type: object
x-kubernetes-map-type: granular
prefix:
description: |-
prefix specifies the component prefix when configured for the domain.
The default value is the name of the cluster.
minLength: 1
type: string
wildcardPolicy:
description: |-
wildcardPolicy allows you to define a route that covers all hosts within a domain. Valid options are `Subdomain` and `None`.
The default value is `None`.
enum:
- Subdomain
- None
type: string
required:
- domain
type: object
type:
description: |-
type specifies the Kubernetes external service for the component.
Valid options are `loadBalancer`, `nodePort`, and `route`.
enum:
- loadBalancer
- nodePort
- route
minLength: 1
type: string
required:
- type
type: object
headlessService:
description: headlessService specifies the configuration of the Kubernetes
headless service.
properties:
annotations:
additionalProperties:
type: string
description: |-
annotations is a map of string key and value pairs.
It specifies the annotations to be added to the CFK-created headless service.
These annotations are merged with the injectAnnotations and take precedence.
type: object
x-kubernetes-map-type: granular
labels:
additionalProperties:
type: string
description: |-
labels is a map of string key and value pairs.
It specifies the labels to be added to the CFK-created headless service.
These labels are merged with the injectLabels and take precedence.
type: object
x-kubernetes-map-type: granular
publishNotReadyAddresses:
description: |-
publishNotReadyAddresses specifies the publishNotReadyAddresses field.
For Kafka, this value must be true. The default value is true.
type: boolean
type: object
id:
description: |-
id specifies the prefix used for this instance of Control Center
when multiple instances of Control Center co-exist.
format: int32
type: integer
image:
description: |-
image specifies the application and the init docker image configurations.
A change to this setting will roll the cluster.
properties:
application:
description: |-
application is the Docker image name of the application. Specify
`<Docker-registry FQDN>/<docker-repository-name>/<component-image-name>:<tag>`.
pattern: .+:.+
type: string
init:
description: |-
init is the init-container name. Specify
`<Docker-registry FQDN>/<docker-repository-name>/<init-container-image-name>:<tag>`.
pattern: .+:.+
type: string
pullPolicy:
description: |-
pullPolicy is the policy for pulling images. Valid options are `Always`, `Never`, and `IfNotPresent`.
The default value is `IfNotPresent`.
enum:
- Always
- Never
- IfNotPresent
type: string
pullSecretRef:
description: |-
pullSecretRef references the secrets in the same namespace to be used for pulling images.
Image pull secrets are distinct from secrets because secrets
can be mounted in the pod, but image pull secrets are only accessed by `kubelet`.
More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
items:
type: string
type: array
required:
- application
- init
type: object
injectAnnotations:
additionalProperties:
type: string
description: |-
injectAnnotations are the annotations injected to the internal resources that CFK created.
The internal annotations are preserved and cannot be overridden.
For pod annotations, use `podTemplate.annotations`.
type: object
x-kubernetes-map-type: granular
injectLabels:
additionalProperties:
type: string
description: |-
injectLabels are the labels injected to the internal resources that CFK created.
The internal labels are preserved and cannot be overridden.
For pod labels, use `podTemplate.labels`.
type: object
x-kubernetes-map-type: granular
internalTopicReplicatorFactor:
description: internalTopicReplicationFactor specifies the replication
factor for internal topics.
format: int32
type: integer
k8sClusterDomain:
description: |-
k8sClusterDomain specifies the configuration of the Kubernetes cluster domain.
The default is the `cluster.local` domain.
type: string
license:
description: license specifies the license configuration for the Confluent
Platform component.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
the license key is mounted. More info:
https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
minLength: 1
type: string
globalLicense:
description: globalLicense specifies whether the Confluent Platform
component shares the common global license.
type: boolean
secretRef:
description: |-
secretRef references the secret that provides the license for the Confluent Platform component.
More info: https://docs.confluent.io/operator/current/co-license.html#update-component-level-licenses
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
mail:
description: |-
mail specifies the settings that control the SMTP server and
account used when an alert triggers an email action.
properties:
authentication:
description: |-
authentication specifies the authentication for SMTP. SMP only supports basic authentication.
For other types of authentication, use the config overrides capability.
properties:
basic:
description: basic specifies the configuration for basic authentication.
properties:
debug:
description: debug enables the basic authentication debug
logs for JaaS configuration.
type: boolean
directoryPathInContainer:
description: |-
directoryPathInContainer allows to pass the basic credential through a directory path in the container.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
minLength: 1
type: string
restrictedRoles:
description: |-
restrictedRoles specify the restricted roles on the server side only.
Changes will be only reflected in Control Center.
This configuration is ignored on the client side configuration.
items:
type: string
minItems: 1
type: array
roles:
description: |-
roles specify the roles on the server side only.
This configuration is ignored on the client side configuration.
items:
type: string
type: array
secretRef:
description: |-
secretRef defines secret reference to pass the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#basic-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauth:
description: OAuth specifies the configuration for OAuth authentication.
properties:
configuration:
description: configuration specifies the OAuth server
settings.
properties:
audience:
description: audience specifies the audience claim
in the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the expected
issuer in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the name of
claim in token for identifying the groups of subject
in the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets connect timeout
with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read timeout
with IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets max retry
backoff with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry backoff
with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name of claim
in JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
directoryPathInContainer:
description: directoryPathInContainer allows to pass the
basic credential through a directory path in the container.
minLength: 1
type: string
secretRef:
description: secretRef defines secret reference to pass
the required credentials.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- configuration
type: object
type:
description: type specifies the authentication scheme for
the REST API client. Valid options are `basic` and `mtls`.
enum:
- basic
- mtls
- oauth
type: string
required:
- type
type: object
checkServerIdentity:
description: checkServerIdentity forces validation of servers
certificate when using STARTTLS or SSL.
type: boolean
hostname:
description: hostname is the hostname of the outgoing SMTP server.
minLength: 1
type: string
mailBounceAddress:
description: mailBounceAddress is the override for the `mailFrom`
config to send message.
minLength: 1
type: string
mailFrom:
description: mailFrom is the originating address for emails sent
from the Control Center.
minLength: 1
type: string
port:
description: port is the SMTP port open on the hostname.
format: int32
type: integer
startTLSRequired:
description: startTLSRequired forces using STARTTLS.
type: boolean
required:
- hostname
type: object
metrics:
description: metrics specify the security settings for the metric
services.
properties:
authentication:
description: authentication specifies the authentication configuration
for the metrics.
properties:
type:
description: type specifies the metrics authentication method.
The valid option is `mtls`.
enum:
- mtls
type: string
required:
- type
type: object
prometheus:
description: prometheus specifies the configuration overrides
for the JMX-Prometheus exporter.
properties:
blacklist:
items:
type: string
type: array
rules:
items:
description: Rule defines the Prometheus Exporter rule override.
properties:
attrNameSnakeCase:
type: boolean
cache:
type: boolean
help:
minLength: 1
type: string
labels:
additionalProperties:
type: string
type: object
x-kubernetes-map-type: granular
name:
minLength: 1
type: string
pattern:
minLength: 1
type: string
type:
minLength: 1
type: string
value:
minLength: 1
type: string
valueFactor:
anyOf:
- type: integer
- type: string
default: 1
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
type: array
whitelist:
items:
type: string
type: array
type: object
tls:
description: tls specifies the TLS configuration for the metrics.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS configuration
for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
type: object
monitoringKafkaClusters:
description: monitoringKafkaClusters specify the configurations for
the Kafka clusters that this Control Center monitors.
items:
description: MonitoringKafkaClusters defines the configuration of
the additional Kafka clusters the Control Center monitors.
properties:
authentication:
description: authentication defines the authentication for the
Kafka cluster.
properties:
jaasConfig:
description: jaasConfig specifies the Kafka client-side
JaaS configuration.
properties:
secretRef:
description: |-
secretRef references the secret containing the required credentials.
More info: https://docs.confluent.io/operator/current/co-authenticate.html
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
jaasConfigPassThrough:
description: jaasConfigPassThrough specifies another way
to provide the Kafka client-side JaaS configuration.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where required credentials are mounted.
More info: https://docs.confluent.io/operator/current/co-authenticate.html
minLength: 1
type: string
secretRef:
description: |-
secretRef references the secret containing the required credentials for authentication.
More info: https://docs.confluent.io/operator/current/co-authenticate.html
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
oauthSettings:
description: |-
oauthSettings specifies the OAuth settings.
This needs to passed with the authentication type `oauth`.
properties:
audience:
description: audience specifies the audience claim in
the JWT payload.
minLength: 1
type: string
expectedIssuer:
description: expectedIssuer specifies the expected issuer
in the JWT payload.
minLength: 1
type: string
groupsClaimName:
description: groupsClaimName specifies the name of claim
in token for identifying the groups of subject in
the JWT payload.
minLength: 1
type: string
jwksEndpointUri:
description: |-
jwksEndpointUri specifies the uri for the JSON Web Key Set (JWKS).
It is used to get set of keys containing the public keys used to verify any JWT issued by the IdP's Authorization Server.
minLength: 1
type: string
loginConnectTimeoutMs:
description: LoginConnectTimeoutMs sets connect timeout
with IDP in ms
format: int32
type: integer
loginReadTimeoutMs:
description: LoginReadTimeoutMs sets read timeout with
IDP in ms
format: int32
type: integer
loginRetryBackoffMaxMs:
description: LoginRetryBackoffMaxMs sets max retry backoff
with IDP in ms
format: int32
type: integer
loginRetryBackoffMs:
description: LoginRetryBackoffMs sets retry backoff
with IDP in ms
format: int32
type: integer
scope:
description: |-
scope is optional and required only when your identity provider doesn't have
a default scope or your groups claim is linked to a scope.
minLength: 1
type: string
subClaimName:
description: subClaimName specifies name of claim in
JWT to use for the subject.
minLength: 1
type: string
tokenEndpointUri:
description: |-
tokenBaseEndpointUri specifies the base uri for token endpoint.
This is required for OAuth for inter broker communication along with
clientId & clientSecret in JassConfig or JassConfigPassthrough
minLength: 1
type: string
type: object
oauthbearer:
description: |-
oauthbearer is the authentication mechanism to provider principals.
Only supported in RBAC deployment.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container
where the credential is mounted.
minLength: 1
type: string
secretRef:
description: |-
secretRef specifies the name of the secret that contains the credential.
More info: https://docs.confluent.io/operator/current/co-authenticate.html#bearer-authentication
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
type:
description: |-
type specifies the Kafka client authentication type.
Valid options are `plain`, `oauthbearer`, `digest`, `mtls` and `oauth`.
enum:
- plain
- oauthbearer
- digest
- mtls
- oauth
type: string
required:
- type
type: object
bootstrapEndpoint:
description: bootstrapEndpoint specifies the Kafka bootstrap
endpoint.
minLength: 1
pattern: .+:[0-9]+
type: string
discovery:
description: discovery specifies the capability to discover
the Kafka cluster.
properties:
name:
description: name is the name of the Confluent Platform
component cluster.
type: string
namespace:
description: |-
namespace is where the Confluent Platform component is running.
The default value is the namespace where CFK is running.
type: string
secretRef:
description: secretRef is the name of the secret used to
discover the Confluent Platform component.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
name:
description: name defines the Kafka cluster name.
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
tls:
description: tls defines the client-side TLS setting for the
Kafka cluster.
properties:
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
enabled:
description: enabled specifies to enable the TLS configuration
for the Confluent component.
type: boolean
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing
the JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- enabled
type: object
required:
- name
type: object
type: array
mountedSecrets:
description: |-
mountedSecrets list the secrets injected to
the underlying statefulset configuration. The secret reference is mounted
in the default path `/mnt/secrets/<secret-name>`. The underlying resources
will follow the secret as a file configuration.
More info: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod.
A change to this setting will roll the cluster.
items:
description: |-
MountedSecrets provides a way to inject a custom secret to the underlying
statefulset.
properties:
keyItems:
description: keyItems are key and path names.
items:
description: Maps a string key to a path within a volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
secretRef:
description: secretRef references the name of the secret.
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
type: array
mountedVolumes:
description: |-
mountedVolumes list the custom volumes that need to be mounted into the
underlying statefulset.
A change to this setting will roll the cluster.
properties:
volumeMounts:
description: |-
volumeMounts specify the list of volume mounts for the pods in the
statefulset.
items:
description: VolumeMount describes a mounting of a Volume within
a container.
properties:
mountPath:
description: |-
Path within the container at which the volume should be mounted. Must
not contain ':'.
type: string
mountPropagation:
description: |-
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
description: |-
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
type: boolean
subPath:
description: |-
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
type: string
subPathExpr:
description: |-
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
type: string
required:
- mountPath
- name
type: object
type: array
volumes:
description: |-
volumes specify the list of volumes that can be mounted into the pods
of statefulset.
items:
description: Volume represents a named volume in a pod that
may be accessed by any container in the pod.
properties:
awsElasticBlockStore:
description: |-
awsElasticBlockStore represents an AWS Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
description: |-
fsType is the filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
partition is the partition in the volume that you want to mount.
If omitted, the default is to mount by volume name.
Examples: For volume /dev/sda1, you specify the partition as "1".
Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
format: int32
type: integer
readOnly:
description: |-
readOnly value true will force the readOnly setting in VolumeMounts.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: boolean
volumeID:
description: |-
volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: string
required:
- volumeID
type: object
azureDisk:
description: azureDisk represents an Azure Data Disk mount
on the host and bind mount to the pod.
properties:
cachingMode:
description: 'cachingMode is the Host Caching mode:
None, Read Only, Read Write.'
type: string
diskName:
description: diskName is the Name of the data disk in
the blob storage
type: string
diskURI:
description: diskURI is the URI of data disk in the
blob storage
type: string
fsType:
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
kind:
description: 'kind expected values are Shared: multiple
blob disks per storage account Dedicated: single
blob disk per storage account Managed: azure managed
data disk (only in managed availability set). defaults
to shared'
type: string
readOnly:
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
required:
- diskName
- diskURI
type: object
azureFile:
description: azureFile represents an Azure File Service
mount on the host and bind mount to the pod.
properties:
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretName:
description: secretName is the name of secret that
contains Azure Storage Account Name and Key
type: string
shareName:
description: shareName is the azure share Name
type: string
required:
- secretName
- shareName
type: object
cephfs:
description: cephFS represents a Ceph FS mount on the host
that shares a pod's lifetime
properties:
monitors:
description: |-
monitors is Required: Monitors is a collection of Ceph monitors
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
items:
type: string
type: array
path:
description: 'path is Optional: Used as the mounted
root, rather than the full Ceph tree, default is /'
type: string
readOnly:
description: |-
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: boolean
secretFile:
description: |-
secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
secretRef:
description: |-
secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
description: |-
user is optional: User is the rados user name, default is admin
More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
required:
- monitors
type: object
cinder:
description: |-
cinder represents a cinder volume attached and mounted on kubelets host machine.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: boolean
secretRef:
description: |-
secretRef is optional: points to a secret object containing parameters used to connect
to OpenStack.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
volumeID:
description: |-
volumeID used to identify the volume in cinder.
More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
required:
- volumeID
type: object
configMap:
description: configMap represents a configMap that should
populate this volume
properties:
defaultMode:
description: |-
defaultMode is optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
description: |-
items if unspecified, each key-value pair in the Data field of the referenced
ConfigMap will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the ConfigMap,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a
volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the ConfigMap
or its keys must be defined
type: boolean
type: object
x-kubernetes-map-type: atomic
csi:
description: csi (Container Storage Interface) represents
ephemeral storage that is handled by certain external
CSI drivers (Beta feature).
properties:
driver:
description: |-
driver is the name of the CSI driver that handles this volume.
Consult with your admin for the correct name as registered in the cluster.
type: string
fsType:
description: |-
fsType to mount. Ex. "ext4", "xfs", "ntfs".
If not provided, the empty value is passed to the associated CSI driver
which will determine the default filesystem to apply.
type: string
nodePublishSecretRef:
description: |-
nodePublishSecretRef is a reference to the secret object containing
sensitive information to pass to the CSI driver to complete the CSI
NodePublishVolume and NodeUnpublishVolume calls.
This field is optional, and may be empty if no secret is required. If the
secret object contains more than one secret, all secret references are passed.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
readOnly:
description: |-
readOnly specifies a read-only configuration for the volume.
Defaults to false (read/write).
type: boolean
volumeAttributes:
additionalProperties:
type: string
description: |-
volumeAttributes stores driver-specific properties that are passed to the CSI
driver. Consult your driver's documentation for supported values.
type: object
required:
- driver
type: object
downwardAPI:
description: downwardAPI represents downward API about the
pod that should populate this volume
properties:
defaultMode:
description: |-
Optional: mode bits to use on created files by default. Must be a
Optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
description: Items is a list of downward API volume
file
items:
description: DownwardAPIVolumeFile represents information
to create the file containing the pod field
properties:
fieldRef:
description: 'Required: Selects a field of the
pod: only annotations, labels, name and namespace
are supported.'
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in
the specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
mode:
description: |-
Optional: mode bits used to set permissions on this file, must be an octal value
between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: 'Required: Path is the relative
path name of the file to be created. Must not
be absolute or contain the ''..'' path. Must
be utf-8 encoded. The first item of the relative
path must not start with ''..'''
type: string
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container name: required for
volumes, optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of
the exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
required:
- path
type: object
type: array
type: object
emptyDir:
description: |-
emptyDir represents a temporary directory that shares a pod's lifetime.
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
properties:
medium:
description: |-
medium represents what type of storage medium should back this directory.
The default is "" which means to use the node's default medium.
Must be an empty string (default) or Memory.
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
type: string
sizeLimit:
anyOf:
- type: integer
- type: string
description: |-
sizeLimit is the total amount of local storage required for this EmptyDir volume.
The size limit is also applicable for memory medium.
The maximum usage on memory medium EmptyDir would be the minimum value between
the SizeLimit specified here and the sum of memory limits of all containers in a pod.
The default is nil which means that the limit is undefined.
More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
ephemeral:
description: |-
ephemeral represents a volume that is handled by a cluster storage driver.
The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
and deleted when the pod is removed.
Use this if:
a) the volume is only needed while the pod runs,
b) features of normal volumes like restoring from snapshot or capacity
tracking are needed,
c) the storage driver is specified through a storage class, and
d) the storage driver supports dynamic volume provisioning through
a PersistentVolumeClaim (see EphemeralVolumeSource for more
information on the connection between this volume type
and PersistentVolumeClaim).
Use PersistentVolumeClaim or one of the vendor-specific
APIs for volumes that persist for longer than the lifecycle
of an individual pod.
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
be used that way - see the documentation of the driver for
more information.
A pod can use both types of ephemeral volumes and
persistent volumes at the same time.
properties:
volumeClaimTemplate:
description: |-
Will be used to create a stand-alone PVC to provision the volume.
The pod in which this EphemeralVolumeSource is embedded will be the
owner of the PVC, i.e. the PVC will be deleted together with the
pod. The name of the PVC will be `<pod name>-<volume name>` where
`<volume name>` is the name from the `PodSpec.Volumes` array
entry. Pod validation will reject the pod if the concatenated name
is not valid for a PVC (for example, too long).
An existing PVC with that name that is not owned by the pod
will *not* be used for the pod to avoid using an unrelated
volume by mistake. Starting the pod is then blocked until
the unrelated PVC is removed. If such a pre-created PVC is
meant to be used by the pod, the PVC has to updated with an
owner reference to the pod once the pod exists. Normally
this should not be necessary, but it may be useful when
manually reconstructing a broken cluster.
This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
Required, must not be nil.
properties:
metadata:
description: |-
May contain labels and annotations that will be copied into the PVC
when creating it. No other fields are allowed and will be rejected during
validation.
type: object
spec:
description: |-
The specification for the PersistentVolumeClaim. The entire content is
copied unchanged into the PVC that gets created from this
template. The same fields as in a PersistentVolumeClaim
are also valid here.
properties:
accessModes:
description: |-
accessModes contains the desired access modes the volume should have.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
items:
type: string
type: array
dataSource:
description: |-
dataSource field can be used to specify either:
* An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
* An existing PVC (PersistentVolumeClaim)
If the provisioner or an external controller can support the specified data source,
it will create a new volume based on the contents of the specified data source.
When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
If the namespace is specified, then dataSourceRef will not be copied to dataSource.
properties:
apiGroup:
description: |-
APIGroup is the group for the resource being referenced.
If APIGroup is not specified, the specified Kind must be in the core API group.
For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource
being referenced
type: string
name:
description: Name is the name of resource
being referenced
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
dataSourceRef:
description: |-
dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
volume is desired. This may be any object from a non-empty API group (non
core object) or a PersistentVolumeClaim object.
When this field is specified, volume binding will only succeed if the type of
the specified object matches some installed volume populator or dynamic
provisioner.
This field will replace the functionality of the dataSource field and as such
if both fields are non-empty, they must have the same value. For backwards
compatibility, when namespace isn't specified in dataSourceRef,
both fields (dataSource and dataSourceRef) will be set to the same
value automatically if one of them is empty and the other is non-empty.
When namespace is specified in dataSourceRef,
dataSource isn't set to the same value and must be empty.
There are three important differences between dataSource and dataSourceRef:
* While dataSource only allows two specific types of objects, dataSourceRef
allows any non-core object, as well as PersistentVolumeClaim objects.
* While dataSource ignores disallowed values (dropping them), dataSourceRef
preserves all values, and generates an error if a disallowed value is
specified.
* While dataSource only allows local objects, dataSourceRef allows objects
in any namespaces.
(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
(Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
properties:
apiGroup:
description: |-
APIGroup is the group for the resource being referenced.
If APIGroup is not specified, the specified Kind must be in the core API group.
For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource
being referenced
type: string
name:
description: Name is the name of resource
being referenced
type: string
namespace:
description: |-
Namespace is the namespace of resource being referenced
Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
(Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
type: string
required:
- kind
- name
type: object
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
selector:
description: selector is a label query over
volumes to consider for binding.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
storageClassName:
description: |-
storageClassName is the name of the StorageClass required by the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
volumeAttributesClassName:
description: |-
volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
If specified, the CSI driver will create or update the volume with the attributes defined
in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
will be set by the persistentvolume controller if it exists.
If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
(Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
type: string
volumeMode:
description: |-
volumeMode defines what type of volume is required by the claim.
Value of Filesystem is implied when not included in claim spec.
type: string
volumeName:
description: volumeName is the binding reference
to the PersistentVolume backing this claim.
type: string
type: object
required:
- spec
type: object
type: object
fc:
description: fc represents a Fibre Channel resource that
is attached to a kubelet's host machine and then exposed
to the pod.
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
lun:
description: 'lun is Optional: FC target lun number'
format: int32
type: integer
readOnly:
description: |-
readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
targetWWNs:
description: 'targetWWNs is Optional: FC target worldwide
names (WWNs)'
items:
type: string
type: array
wwids:
description: |-
wwids Optional: FC volume world wide identifiers (wwids)
Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
items:
type: string
type: array
type: object
flexVolume:
description: |-
flexVolume represents a generic volume resource that is
provisioned/attached using an exec based plugin.
properties:
driver:
description: driver is the name of the driver to use
for this volume.
type: string
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
type: string
options:
additionalProperties:
type: string
description: 'options is Optional: this field holds
extra command options if any.'
type: object
readOnly:
description: |-
readOnly is Optional: defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: |-
secretRef is Optional: secretRef is reference to the secret object containing
sensitive information to pass to the plugin scripts. This may be
empty if no secret object is specified. If the secret object
contains more than one secret, all secrets are passed to the plugin
scripts.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
required:
- driver
type: object
flocker:
description: flocker represents a Flocker volume attached
to a kubelet's host machine. This depends on the Flocker
control service being running
properties:
datasetName:
description: |-
datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
should be considered as deprecated
type: string
datasetUUID:
description: datasetUUID is the UUID of the dataset.
This is unique identifier of a Flocker dataset
type: string
type: object
gcePersistentDisk:
description: |-
gcePersistentDisk represents a GCE Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
description: |-
fsType is filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
partition:
description: |-
partition is the partition in the volume that you want to mount.
If omitted, the default is to mount by volume name.
Examples: For volume /dev/sda1, you specify the partition as "1".
Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
format: int32
type: integer
pdName:
description: |-
pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: string
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
Defaults to false.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: boolean
required:
- pdName
type: object
gitRepo:
description: |-
gitRepo represents a git repository at a particular revision.
DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
into the Pod's container.
properties:
directory:
description: |-
directory is the target directory name.
Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
git repository. Otherwise, if specified, the volume will contain the git repository in
the subdirectory with the given name.
type: string
repository:
description: repository is the URL
type: string
revision:
description: revision is the commit hash for the specified
revision.
type: string
required:
- repository
type: object
glusterfs:
description: |-
glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
description: |-
endpoints is the endpoint name that details Glusterfs topology.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
path:
description: |-
path is the Glusterfs volume path.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
readOnly:
description: |-
readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
Defaults to false.
More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: boolean
required:
- endpoints
- path
type: object
hostPath:
description: |-
hostPath represents a pre-existing file or directory on the host
machine that is directly exposed to the container. This is generally
used for system agents or other privileged things that are allowed
to see the host machine. Most containers will NOT need this.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
---
TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
mount host directories as read/write.
properties:
path:
description: |-
path of the directory on the host.
If the path is a symlink, it will follow the link to the real path.
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
type:
description: |-
type for HostPath Volume
Defaults to ""
More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
required:
- path
type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
kubelet's host machine and then exposed to the pod.
More info: https://examples.k8s.io/volumes/iscsi/README.md
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether support
iSCSI Discovery CHAP authentication
type: boolean
chapAuthSession:
description: chapAuthSession defines whether support
iSCSI Session CHAP authentication
type: boolean
fsType:
description: |-
fsType is the filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
initiatorName:
description: |-
initiatorName is the custom iSCSI Initiator Name.
If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
<target portal>:<volume name> will be created for the connection.
type: string
iqn:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
type: string
lun:
description: lun represents iSCSI Target Lun number.
format: int32
type: integer
portals:
description: |-
portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
is other than default (typically TCP ports 860 and 3260).
items:
type: string
type: array
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
Defaults to false.
type: boolean
secretRef:
description: secretRef is the CHAP Secret for iSCSI
target and initiator authentication
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
targetPortal:
description: |-
targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
is other than default (typically TCP ports 860 and 3260).
type: string
required:
- iqn
- lun
- targetPortal
type: object
name:
description: |-
name of the volume.
Must be a DNS_LABEL and unique within the pod.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
nfs:
description: |-
nfs represents an NFS mount on the host that shares a pod's lifetime
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
properties:
path:
description: |-
path that is exported by the NFS server.
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
readOnly:
description: |-
readOnly here will force the NFS export to be mounted with read-only permissions.
Defaults to false.
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: boolean
server:
description: |-
server is the hostname or IP address of the NFS server.
More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
description: |-
persistentVolumeClaimVolumeSource represents a reference to a
PersistentVolumeClaim in the same namespace.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
properties:
claimName:
description: |-
claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
type: string
readOnly:
description: |-
readOnly Will force the ReadOnly setting in VolumeMounts.
Default false.
type: boolean
required:
- claimName
type: object
photonPersistentDisk:
description: photonPersistentDisk represents a PhotonController
persistent disk attached and mounted on kubelets host
machine
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
pdID:
description: pdID is the ID that identifies Photon Controller
persistent disk
type: string
required:
- pdID
type: object
portworxVolume:
description: portworxVolume represents a portworx volume
attached and mounted on kubelets host machine
properties:
fsType:
description: |-
fSType represents the filesystem type to mount
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
volumeID:
description: volumeID uniquely identifies a Portworx
volume
type: string
required:
- volumeID
type: object
projected:
description: projected items for all in one resources secrets,
configmaps, and downward API
properties:
defaultMode:
description: |-
defaultMode are the mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
sources:
description: sources is the list of volume projections
items:
description: Projection that may be projected along
with other supported volume types
properties:
clusterTrustBundle:
description: |-
ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
of ClusterTrustBundle objects in an auto-updating file.
Alpha, gated by the ClusterTrustBundleProjection feature gate.
ClusterTrustBundle objects can either be selected by name, or by the
combination of signer name and a label selector.
Kubelet performs aggressive normalization of the PEM contents written
into the pod filesystem. Esoteric PEM features such as inter-block
comments and block headers are stripped. Certificates are deduplicated.
The ordering of certificates within the file is arbitrary, and Kubelet
may change the order over time.
properties:
labelSelector:
description: |-
Select all ClusterTrustBundles that match this label selector. Only has
effect if signerName is set. Mutually-exclusive with name. If unset,
interpreted as "match nothing". If set but empty, interpreted as "match
everything".
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
name:
description: |-
Select a single ClusterTrustBundle by object name. Mutually-exclusive
with signerName and labelSelector.
type: string
optional:
description: |-
If true, don't block pod startup if the referenced ClusterTrustBundle(s)
aren't available. If using name, then the named ClusterTrustBundle is
allowed not to exist. If using signerName, then the combination of
signerName and labelSelector is allowed to match zero
ClusterTrustBundles.
type: boolean
path:
description: Relative path from the volume
root to write the bundle.
type: string
signerName:
description: |-
Select all ClusterTrustBundles that match this signer name.
Mutually-exclusive with name. The contents of all selected
ClusterTrustBundles will be unified and deduplicated.
type: string
required:
- path
type: object
configMap:
description: configMap information about the configMap
data to project
properties:
items:
description: |-
items if unspecified, each key-value pair in the Data field of the referenced
ConfigMap will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the ConfigMap,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional specify whether the
ConfigMap or its keys must be defined
type: boolean
type: object
x-kubernetes-map-type: atomic
downwardAPI:
description: downwardAPI information about the
downwardAPI data to project
properties:
items:
description: Items is a list of DownwardAPIVolume
file
items:
description: DownwardAPIVolumeFile represents
information to create the file containing
the pod field
properties:
fieldRef:
description: 'Required: Selects a field
of the pod: only annotations, labels,
name and namespace are supported.'
properties:
apiVersion:
description: Version of the schema
the FieldPath is written in terms
of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to
select in the specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
mode:
description: |-
Optional: mode bits used to set permissions on this file, must be an octal value
between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: 'Required: Path is the
relative path name of the file to
be created. Must not be absolute or
contain the ''..'' path. Must be utf-8
encoded. The first item of the relative
path must not start with ''..'''
type: string
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container name: required
for volumes, optional for env
vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output
format of the exposed resources,
defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource
to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
required:
- path
type: object
type: array
type: object
secret:
description: secret information about the secret
data to project
properties:
items:
description: |-
items if unspecified, each key-value pair in the Data field of the referenced
Secret will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the Secret,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: optional field specify whether
the Secret or its key must be defined
type: boolean
type: object
x-kubernetes-map-type: atomic
serviceAccountToken:
description: serviceAccountToken is information
about the serviceAccountToken data to project
properties:
audience:
description: |-
audience is the intended audience of the token. A recipient of a token
must identify itself with an identifier specified in the audience of the
token, and otherwise should reject the token. The audience defaults to the
identifier of the apiserver.
type: string
expirationSeconds:
description: |-
expirationSeconds is the requested duration of validity of the service
account token. As the token approaches expiration, the kubelet volume
plugin will proactively rotate the service account token. The kubelet will
start trying to rotate the token if the token is older than 80 percent of
its time to live or if the token is older than 24 hours.Defaults to 1 hour
and must be at least 10 minutes.
format: int64
type: integer
path:
description: |-
path is the path relative to the mount point of the file to project the
token into.
type: string
required:
- path
type: object
type: object
type: array
type: object
quobyte:
description: quobyte represents a Quobyte mount on the host
that shares a pod's lifetime
properties:
group:
description: |-
group to map volume access to
Default is no group
type: string
readOnly:
description: |-
readOnly here will force the Quobyte volume to be mounted with read-only permissions.
Defaults to false.
type: boolean
registry:
description: |-
registry represents a single or multiple Quobyte Registry services
specified as a string as host:port pair (multiple entries are separated with commas)
which acts as the central registry for volumes
type: string
tenant:
description: |-
tenant owning the given Quobyte volume in the Backend
Used with dynamically provisioned Quobyte volumes, value is set by the plugin
type: string
user:
description: |-
user to map volume access to
Defaults to serivceaccount user
type: string
volume:
description: volume is a string that references an already
created Quobyte volume by name.
type: string
required:
- registry
- volume
type: object
rbd:
description: |-
rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
description: |-
fsType is the filesystem type of the volume that you want to mount.
Tip: Ensure that the filesystem type is supported by the host operating system.
Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
TODO: how do we prevent errors in the filesystem from compromising the machine
type: string
image:
description: |-
image is the rados image name.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
monitors:
description: |-
monitors is a collection of Ceph monitors.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
items:
type: string
type: array
pool:
description: |-
pool is the rados pool name.
Default is rbd.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
readOnly:
description: |-
readOnly here will force the ReadOnly setting in VolumeMounts.
Defaults to false.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: boolean
secretRef:
description: |-
secretRef is name of the authentication secret for RBDUser. If provided
overrides keyring.
Default is nil.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
user:
description: |-
user is the rados user name.
Default is admin.
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
required:
- image
- monitors
type: object
scaleIO:
description: scaleIO represents a ScaleIO persistent volume
attached and mounted on Kubernetes nodes.
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs".
Default is "xfs".
type: string
gateway:
description: gateway is the host address of the ScaleIO
API Gateway.
type: string
protectionDomain:
description: protectionDomain is the name of the ScaleIO
Protection Domain for the configured storage.
type: string
readOnly:
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: |-
secretRef references to the secret for ScaleIO user and other
sensitive information. If this is not provided, Login operation will fail.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
sslEnabled:
description: sslEnabled Flag enable/disable SSL communication
with Gateway, default false
type: boolean
storageMode:
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
type: string
storagePool:
description: storagePool is the ScaleIO Storage Pool
associated with the protection domain.
type: string
system:
description: system is the name of the storage system
as configured in ScaleIO.
type: string
volumeName:
description: |-
volumeName is the name of a volume already created in the ScaleIO system
that is associated with this volume source.
type: string
required:
- gateway
- secretRef
- system
type: object
secret:
description: |-
secret represents a secret that should populate this volume.
More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
properties:
defaultMode:
description: |-
defaultMode is Optional: mode bits used to set permissions on created files by default.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values
for mode bits. Defaults to 0644.
Directories within the path are not affected by this setting.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
description: |-
items If unspecified, each key-value pair in the Data field of the referenced
Secret will be projected into the volume as a file whose name is the
key and content is the value. If specified, the listed keys will be
projected into the specified paths, and unlisted keys will not be
present. If a key is specified which is not present in the Secret,
the volume setup will error unless it is marked optional. Paths must be
relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path within a
volume.
properties:
key:
description: key is the key to project.
type: string
mode:
description: |-
mode is Optional: mode bits used to set permissions on this file.
Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
If not specified, the volume defaultMode will be used.
This might be in conflict with other options that affect the file
mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
description: |-
path is the relative path of the file to map the key to.
May not be an absolute path.
May not contain the path element '..'.
May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
optional:
description: optional field specify whether the Secret
or its keys must be defined
type: boolean
secretName:
description: |-
secretName is the name of the secret in the pod's namespace to use.
More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
type: string
type: object
storageos:
description: storageOS represents a StorageOS volume attached
and mounted on Kubernetes nodes.
properties:
fsType:
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
description: |-
readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
description: |-
secretRef specifies the secret to use for obtaining the StorageOS API
credentials. If not specified, default values will be attempted.
properties:
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
volumeName:
description: |-
volumeName is the human-readable name of the StorageOS volume. Volume
names are only unique within a namespace.
type: string
volumeNamespace:
description: |-
volumeNamespace specifies the scope of the volume within StorageOS. If no
namespace is specified then the Pod's namespace will be used. This allows the
Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
Set VolumeName to any name to override the default behaviour.
Set to "default" if you are not using namespaces within StorageOS.
Namespaces that do not pre-exist within StorageOS will be created.
type: string
type: object
vsphereVolume:
description: vsphereVolume represents a vSphere volume attached
and mounted on kubelets host machine
properties:
fsType:
description: |-
fsType is filesystem type to mount.
Must be a filesystem type supported by the host operating system.
Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
storagePolicyID:
description: storagePolicyID is the storage Policy Based
Management (SPBM) profile ID associated with the StoragePolicyName.
type: string
storagePolicyName:
description: storagePolicyName is the storage Policy
Based Management (SPBM) profile name.
type: string
volumePath:
description: volumePath is the path that identifies
vSphere volume vmdk
type: string
required:
- volumePath
type: object
required:
- name
type: object
type: array
required:
- volumeMounts
- volumes
type: object
name:
description: name is the Control Center cluster name.
type: string
oneReplicaPerNode:
description: |-
oneReplicaPerNode controls whether to run 1 pod per node using the pod anti-affinity capability.
Enabling this configuration in an existing cluster will roll the cluster.
type: boolean
pdb:
description: |-
configures PodDisruptionBudget for the Confluent Platform component.
by default PDB is configured based on pre-detemined formula.
properties:
enabled:
description: enabled specifies whether the PodDisruptionBudget
is enabled
type: boolean
maxUnavailable:
description: maxUnavailable is the maximum number of pods that
can be unavailable during the disruption.
format: int32
type: integer
required:
- enabled
type: object
podTemplate:
description: podTemplate specifies the statefulset pod template configuration.
properties:
affinity:
description: |-
affinity specifies a group of affinity scheduling rules.
More info: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity.
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for
the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: |-
The scheduler will prefer to schedule pods to nodes that satisfy
the affinity expressions specified by this field, but it may choose
a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node matches the corresponding matchExpressions; the
node(s) with the highest sum are the most preferred.
items:
description: |-
An empty preferred scheduling term matches all objects with implicit weight 0
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated with
the corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
weight:
description: Weight associated with matching the
corresponding nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to an update), the system
may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms.
The terms are ORed.
items:
description: |-
A null or empty node selector term matches no objects. The requirements of
them are ANDed.
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: |-
A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: |-
Represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: |-
An array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. If the operator is Gt or Lt, the values
array must have a single element, which will be interpreted as an integer.
This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
x-kubernetes-map-type: atomic
type: array
required:
- nodeSelectorTerms
type: object
x-kubernetes-map-type: atomic
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g.
co-locate this pod in the same node, zone, etc. as some
other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: |-
The scheduler will prefer to schedule pods to nodes that satisfy
the affinity expressions specified by this field, but it may choose
a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred
node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: |-
weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to a pod label update), the
system may or may not try to eventually evict the pod from its node.
When there are multiple elements, the lists of nodes corresponding to each
podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: |-
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key <topologyKey> matches that of any node on which
a pod of the set of pods is running
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules
(e.g. avoid putting this pod in the same node, zone, etc.
as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: |-
The scheduler will prefer to schedule pods to nodes that satisfy
the anti-affinity expressions specified by this field, but it may choose
a node that violates one or more of the expressions. The node that is
most preferred is the one with the greatest sum of weights, i.e.
for each node that meets all of the scheduling requirements (resource
request, requiredDuringScheduling anti-affinity expressions, etc.),
compute a sum by iterating through the elements of this field and adding
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred
node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: |-
weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: |-
If the anti-affinity requirements specified by this field are not met at
scheduling time, the pod will not be scheduled onto the node.
If the anti-affinity requirements specified by this field cease to be met
at some point during pod execution (e.g. due to a pod label update), the
system may or may not try to eventually evict the pod from its node.
When there are multiple elements, the lists of nodes corresponding to each
podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
description: |-
Defines a set of pods (namely those matching the labelSelector
relative to the given namespace(s)) that this pod should be
co-located (affinity) or not co-located (anti-affinity) with,
where co-located is defined as running on a node whose value of
the label with key <topologyKey> matches that of any node on which
a pod of the set of pods is running
properties:
labelSelector:
description: |-
A label query over a set of resources, in this case pods.
If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
Also, MatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
description: |-
MismatchLabelKeys is a set of pod label keys to select which pods will
be taken into consideration. The keys are used to lookup values from the
incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)`
to select the group of existing pods which pods will be taken into consideration
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector.
Also, MismatchLabelKeys cannot be set when LabelSelector isn't set.
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
description: |-
A label query over the set of namespaces that the term applies to.
The term is applied to the union of the namespaces selected by this field
and the ones listed in the namespaces field.
null selector and null or empty namespaces list means "this pod's namespace".
An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: |-
namespaces specifies a static list of namespace names that the term applies to.
The term is applied to the union of the namespaces listed in this field
and the ones selected by namespaceSelector.
null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
topologyKey:
description: |-
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where co-located is defined as running on a node
whose value of the label with key topologyKey matches that of any node on which any of the
selected pods is running.
Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
annotations:
additionalProperties:
type: string
description: |-
annotations is a map of string key and value pairs stored with the resource and
may be set by external tools to store and retrieve arbitrary metadata. They
are not queryable and should be preserved when modifying objects. More
info: http://kubernetes.io/docs/user-guide/annotations.
type: object
x-kubernetes-map-type: granular
envVars:
description: |-
envVars contain environment variables to be injected into containers.
More info: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container.
items:
description: EnvVar represents an environment variable present
in a Container.
properties:
name:
description: Name of the environment variable. Must be a
C_IDENTIFIER.
type: string
value:
description: |-
Variable references $(VAR_NAME) are expanded
using the previously defined environment variables in the container and
any service environment variables. If a variable cannot be resolved,
the reference in the input string will be unchanged. Double $$ are reduced
to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
"$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
Escaped references will never be expanded, regardless of whether the variable
exists or not.
Defaults to "".
type: string
valueFrom:
description: Source for the environment variable's value.
Cannot be used if value is not empty.
properties:
configMapKeyRef:
description: Selects a key of a ConfigMap.
properties:
key:
description: The key to select.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the ConfigMap or its
key must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
fieldRef:
description: |-
Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`,
spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
properties:
apiVersion:
description: Version of the schema the FieldPath
is written in terms of, defaults to "v1".
type: string
fieldPath:
description: Path of the field to select in the
specified API version.
type: string
required:
- fieldPath
type: object
x-kubernetes-map-type: atomic
resourceFieldRef:
description: |-
Selects a resource of the container: only resources limits and requests
(limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
properties:
containerName:
description: 'Container name: required for volumes,
optional for env vars'
type: string
divisor:
anyOf:
- type: integer
- type: string
description: Specifies the output format of the
exposed resources, defaults to "1"
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
resource:
description: 'Required: resource to select'
type: string
required:
- resource
type: object
x-kubernetes-map-type: atomic
secretKeyRef:
description: Selects a key of a secret in the pod's
namespace
properties:
key:
description: The key of the secret to select from. Must
be a valid secret key.
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
optional:
description: Specify whether the Secret or its key
must be defined
type: boolean
required:
- key
type: object
x-kubernetes-map-type: atomic
type: object
required:
- name
type: object
type: array
labels:
additionalProperties:
type: string
description: |-
labels is a map of string key and value pairs that can be used to organize and categorize
(scope and select) objects.
More info: http://kubernetes.io/docs/user-guide/labels.
type: object
x-kubernetes-map-type: granular
podSecurityContext:
description: |-
PodSecurityContext holds pod-level security attributes and common container settings.
Some fields are also present in container.securityContext. Field values of
container.securityContext take precedence over field values of PodSecurityContext.
properties:
fsGroup:
description: |-
A special supplemental group that applies to all containers in a pod.
Some volume types allow the Kubelet to change the ownership of that volume
to be owned by the pod:
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw----
If unset, the Kubelet will not modify the ownership and permissions of any volume.
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
fsGroupChangePolicy:
description: |-
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
before being exposed inside Pod. This field will only apply to
volume types which support fsGroup based ownership(and permissions).
It will have no effect on ephemeral volume types such as: secret, configmaps
and emptydir.
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
Note that this field cannot be set when spec.os.name is windows.
type: string
runAsGroup:
description: |-
The GID to run the entrypoint of the container process.
Uses runtime default if unset.
May also be set in SecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence
for that container.
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
description: |-
Indicates that the container must run as a non-root user.
If true, the Kubelet will validate the image at runtime to ensure that it
does not run as UID 0 (root) and fail to start the container if it does.
If unset or false, no such validation will be performed.
May also be set in SecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: |-
The UID to run the entrypoint of the container process.
Defaults to user specified in image metadata if unspecified.
May also be set in SecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence
for that container.
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
description: |-
The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random SELinux context for each
container. May also be set in SecurityContext. If set in
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: |-
The seccomp options to use by the containers in this pod.
Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
description: |-
localhostProfile indicates a profile defined in a file on the node should be used.
The profile must be preconfigured on the node to work.
Must be a descending path, relative to the kubelet's configured seccomp profile location.
Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
description: |-
type indicates which kind of seccomp profile will be applied.
Valid options are:
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
type: string
required:
- type
type: object
supplementalGroups:
description: |-
A list of groups applied to the first process run in each container, in addition
to the container's primary GID, the fsGroup (if specified), and group memberships
defined in the container image for the uid of the container process. If unspecified,
no additional groups are added to any container. Note that group memberships
defined in the container image for the uid of the container process are still effective,
even if they are not included in this list.
Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
sysctls:
description: |-
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Note that this field cannot be set when spec.os.name is windows.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
If unspecified, the options within a container's SecurityContext will be used.
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
description: |-
GMSACredentialSpec is where the GMSA admission webhook
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: |-
HostProcess determines if a container should be run as a 'Host Process' container.
All of a Pod's containers must have the same effective HostProcess value
(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
description: |-
The UserName in Windows to run the entrypoint of the container process.
Defaults to the user specified in image metadata if unspecified.
May also be set in PodSecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
priorityClassName:
description: priorityClassName specifies the priority class for
the pod (if any).
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
probe:
description: probe contains the fields for standard Kubernetes
readiness/liveness probe configuration.
properties:
liveness:
description: |-
liveness configures the Kubernetes probe settings. The changes
will override the existing default configuration.
properties:
failureThreshold:
description: |-
failureThreshold is the minimum consecutive failures for the probe to be considered failed.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
initialDelaySeconds:
description: |-
initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
path:
description: Path for the HTTP probe
type: string
periodSeconds:
description: |-
periodSeconds specifies how often to perform the probe.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
port:
description: Number of the port to access on the container
type: integer
successThreshold:
description: |-
successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
format: int32
type: integer
timeoutSeconds:
description: |-
timeoutSeconds is the number of seconds after which the probe times out.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
type: object
readiness:
description: |-
readiness configures the Kubernetes probe setting. The changes
will override the existing default configuration.
properties:
failureThreshold:
description: |-
failureThreshold is the minimum consecutive failures for the probe to be considered failed.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
initialDelaySeconds:
description: |-
initialDelaySeconds is the number of seconds after the container has started and before probes are initiated.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
path:
description: Path for the HTTP probe
type: string
periodSeconds:
description: |-
periodSeconds specifies how often to perform the probe.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
port:
description: Number of the port to access on the container
type: integer
successThreshold:
description: |-
successThreshold is the minimum consecutive successes for the probe to be considered successful after having failed.
The default values is `1`. Must be `1` for liveness and startup. The minimum value is `1`.
format: int32
type: integer
timeoutSeconds:
description: |-
timeoutSeconds is the number of seconds after which the probe times out.
Confluent Platform components come with the right configuration, and this setting is not required to change most of the time.
format: int32
type: integer
type: object
type: object
resources:
description: resources describe the compute resource requirements.
properties:
claims:
description: |-
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: |-
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
securityContext:
description: |-
SecurityContext holds security configuration that will be applied to a container.
Some fields are present in both SecurityContext and PodSecurityContext. When both
are set, the values in SecurityContext take precedence.
properties:
allowPrivilegeEscalation:
description: |-
AllowPrivilegeEscalation controls whether a process can gain more
privileges than its parent process. This bool directly controls if
the no_new_privs flag will be set on the container process.
AllowPrivilegeEscalation is true always when the container is:
1) run as Privileged
2) has CAP_SYS_ADMIN
Note that this field cannot be set when spec.os.name is windows.
type: boolean
capabilities:
description: |-
The capabilities to add/drop when running containers.
Defaults to the default set of capabilities granted by the container runtime.
Note that this field cannot be set when spec.os.name is windows.
properties:
add:
description: Added capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
drop:
description: Removed capabilities
items:
description: Capability represent POSIX capabilities
type
type: string
type: array
type: object
privileged:
description: |-
Run container in privileged mode.
Processes in privileged containers are essentially equivalent to root on the host.
Defaults to false.
Note that this field cannot be set when spec.os.name is windows.
type: boolean
procMount:
description: |-
procMount denotes the type of proc mount to use for the containers.
The default is DefaultProcMount which uses the container runtime defaults for
readonly paths and masked paths.
This requires the ProcMountType feature flag to be enabled.
Note that this field cannot be set when spec.os.name is windows.
type: string
readOnlyRootFilesystem:
description: |-
Whether this container has a read-only root filesystem.
Default is false.
Note that this field cannot be set when spec.os.name is windows.
type: boolean
runAsGroup:
description: |-
The GID to run the entrypoint of the container process.
Uses runtime default if unset.
May also be set in PodSecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
description: |-
Indicates that the container must run as a non-root user.
If true, the Kubelet will validate the image at runtime to ensure that it
does not run as UID 0 (root) and fail to start the container if it does.
If unset or false, no such validation will be performed.
May also be set in PodSecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
description: |-
The UID to run the entrypoint of the container process.
Defaults to user specified in image metadata if unspecified.
May also be set in PodSecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
description: |-
The SELinux context to be applied to the container.
If unspecified, the container runtime will allocate a random SELinux context for each
container. May also be set in PodSecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: |-
The seccomp options to use by this container. If seccomp options are
provided at both the pod & container level, the container options
override the pod options.
Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
description: |-
localhostProfile indicates a profile defined in a file on the node should be used.
The profile must be preconfigured on the node to work.
Must be a descending path, relative to the kubelet's configured seccomp profile location.
Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
description: |-
type indicates which kind of seccomp profile will be applied.
Valid options are:
Localhost - a profile defined in a file on the node should be used.
RuntimeDefault - the container runtime default profile should be used.
Unconfined - no profile should be applied.
type: string
required:
- type
type: object
windowsOptions:
description: |-
The Windows specific settings applied to all containers.
If unspecified, the options from the PodSecurityContext will be used.
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
description: |-
GMSACredentialSpec is where the GMSA admission webhook
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: |-
HostProcess determines if a container should be run as a 'Host Process' container.
All of a Pod's containers must have the same effective HostProcess value
(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
description: |-
The UserName in Windows to run the entrypoint of the container process.
Defaults to the user specified in image metadata if unspecified.
May also be set in PodSecurityContext. If set in both SecurityContext and
PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
serviceAccountName:
description: |-
ServiceAccountName is the name of the service account used to run this pod.
More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account.
type: string
terminationGracePeriodSeconds:
description: terminationGracePeriodSeconds is the grace period
before the pod is deleted.
format: int64
type: integer
tolerations:
description: |-
tolerations specify the pods to schedule onto the nodes with matching taints, using
the triple `<key,value,effect>` and the matching operator `<operator>`.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
the triple <key,value,effect> using the matching operator <operator>.
properties:
effect:
description: |-
Effect indicates the taint effect to match. Empty means match all taint effects.
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: |-
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: |-
TolerationSeconds represents the period of time the toleration (which must be
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
it is not set, which means tolerate the taint forever (do not evict). Zero and
negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: |-
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
topologySpreadConstraints:
description: |-
topologySpreadConstraints describe how a group of pods ought to spread across topology domains. Scheduler will
schedule pods based on the constraints. All topologySpreadConstraints are ANDed.
items:
description: TopologySpreadConstraint specifies how to spread
matching pods among the given topology.
properties:
labelSelector:
description: |-
LabelSelector is used to find matching pods.
Pods that match this label selector are counted to determine the number of pods
in their corresponding topology domain.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
description: |-
MatchLabelKeys is a set of pod label keys to select the pods over which
spreading will be calculated. The keys are used to lookup values from the
incoming pod labels, those key-value labels are ANDed with labelSelector
to select the group of existing pods over which spreading will be calculated
for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
MatchLabelKeys cannot be set when LabelSelector isn't set.
Keys that don't exist in the incoming pod labels will
be ignored. A null or empty list means only match against labelSelector.
This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
maxSkew:
description: |-
MaxSkew describes the degree to which pods may be unevenly distributed.
When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
between the number of matching pods in the target topology and the global minimum.
The global minimum is the minimum number of matching pods in an eligible domain
or zero if the number of eligible domains is less than MinDomains.
For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
labelSelector spread as 2/2/1:
In this case, the global minimum is 1.
| zone1 | zone2 | zone3 |
| P P | P P | P |
- if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
violate MaxSkew(1).
- if MaxSkew is 2, incoming pod can be scheduled onto any zone.
When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
to topologies that satisfy it.
It's a required field. Default value is 1 and 0 is not allowed.
format: int32
type: integer
minDomains:
description: |-
MinDomains indicates a minimum number of eligible domains.
When the number of eligible domains with matching topology keys is less than minDomains,
Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
And when the number of eligible domains with matching topology keys equals or greater than minDomains,
this value has no effect on scheduling.
As a result, when the number of eligible domains is less than minDomains,
scheduler won't schedule more than maxSkew Pods to those domains.
If value is nil, the constraint behaves as if MinDomains is equal to 1.
Valid values are integers greater than 0.
When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
labelSelector spread as 2/2/2:
| zone1 | zone2 | zone3 |
| P P | P P | P P |
The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
In this situation, new pod with the same labelSelector cannot be scheduled,
because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
it will violate MaxSkew.
This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
format: int32
type: integer
nodeAffinityPolicy:
description: |-
NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
when calculating pod topology spread skew. Options are:
- Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
- Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
description: |-
NodeTaintsPolicy indicates how we will treat node taints when calculating
pod topology spread skew. Options are:
- Honor: nodes without taints, along with tainted nodes for which the incoming pod
has a toleration, are included.
- Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy.
This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
description: |-
TopologyKey is the key of node labels. Nodes that have a label with this key
and identical values are considered to be in the same topology.
We consider each <key, value> as a "bucket", and try to put balanced number
of pods into each bucket.
We define a domain as a particular instance of a topology.
Also, we define an eligible domain as a domain whose nodes meet the requirements of
nodeAffinityPolicy and nodeTaintsPolicy.
e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
It's a required field.
type: string
whenUnsatisfiable:
description: |-
WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
the spread constraint.
- DoNotSchedule (default) tells the scheduler not to schedule it.
- ScheduleAnyway tells the scheduler to schedule the pod in any location,
but giving higher precedence to topologies that would help reduce the
skew.
A constraint is considered "Unsatisfiable" for an incoming pod
if and only if every possible node assignment for that pod would violate
"MaxSkew" on some topology.
For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
labelSelector spread as 3/1/1:
| zone1 | zone2 | zone3 |
| P P P | P | P |
If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
won't make it *more* imbalanced.
It's a required field.
type: string
required:
- maxSkew
- topologyKey
- whenUnsatisfiable
type: object
type: array
type: object
replicas:
description: |-
replicas is the desired number of replicas.
A change to this setting will roll the cluster.
format: int32
type: integer
storageClass:
description: storageClass references the user-provided storage class.
properties:
name:
description: name is the storage class name.
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
telemetry:
description: telemetry specifies the Confluent telemetry reporter
configuration.
properties:
global:
description: |-
global allows disabling telemetry configuration.
If CFK is deployed with telemetry, this field is only
used to disable telemetry. The default value is `true` if
telemetry is enabled at the global level.
type: boolean
type: object
tls:
description: tls specifies the TLS configurations.
properties:
autoGeneratedCerts:
description: |-
autoGeneratedCerts specifies that the certificates are auto-generated based on
the CA key pair provided.
type: boolean
directoryPathInContainer:
description: |-
directoryPathInContainer specifies the directory path in the container where
`keystore.jks`, `truststore.jks`, and `jksPassword.txt` keys are mounted.
`truststore.jks` is not configured and can be ignored when the `ignoreTrustStoreConfig` field is set to `true`.
minLength: 1
type: string
fips:
description: |-
fips specifies the configuration of FIPS compliant Bouncy Castle type Java Keystores for the cp component's
TLS settings. TLS Secrets must have the keys keystore.bcfks, truststore.bcfks, and jksPassword.txt
properties:
enabled:
description: enabled specifies whether to enable the FIPS
configuration for cp components.
type: boolean
required:
- enabled
type: object
ignoreTrustStoreConfig:
description: |-
ignoreTrustStoreConfig indicates whether to ignore the truststore configuration
for the Confluent component.
type: boolean
jksPassword:
description: jksPassword references the secret containing the
JKS password.
properties:
secretRef:
description: |-
secretRef references the name of the secret containing the JKS password.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- secretRef
type: object
secretRef:
description: |-
secretRef references the secret containing the certificates.
More info: https://docs.confluent.io/operator/current/co-network-encryption.html#configure-user-provided-tls-certificates
maxLength: 30
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
required:
- dataVolumeCapacity
- image
type: object
status:
description: status defines the observed state of the Control Center cluster.
properties:
arbitraryData:
description: arbitraryData is the map for any arbitrary data associated
with this Confluent component.
x-kubernetes-preserve-unknown-fields: true
authorizationType:
description: authorizationType is the authorization type for this
Confluent component.
type: string
clusterName:
description: clusterName is the name of the Confluent Platform component
cluster.
type: string
clusterNamespace:
description: clusterNamespace is the namespace where the Confluent
Platform component cluster is running.
type: string
conditions:
description: conditions specify the latest available observations
of the current state.
items:
description: Condition represent the latest available observations
of the current state.
properties:
lastProbeTime:
description: lastProbeTime shows the last time the condition
was evaluated.
format: date-time
type: string
lastTransitionTime:
description: lastTransitionTime shows the last time the condition
was transitioned from one status to another.
format: date-time
type: string
message:
description: message shows a human-readable message with details
about the transition.
type: string
reason:
description: reason shows the reason for the last transition
of the condition.
type: string
status:
description: status shows the status of the condition, one of
`True`, `False`, or `Unknown`.
type: string
type:
description: type shows the condition type.
type: string
type: object
type: array
controlCenterName:
description: name is the name of the Control Center cluster.
type: string
currentReplicas:
description: currentReplicas is the number of currently running replicas.
format: int32
type: integer
id:
description: id is the identifier of the Control Center cluster.
format: int32
type: integer
internalSecrets:
description: |-
internalSecrets are internal secrets created
by CFK for this Confluent component.
items:
type: string
type: array
internalTopicNames:
description: internalTopicNames are the topics used by the component
for internal use.
items:
type: string
type: array
kafka:
description: kafka is the Kafka client side status for the Control
Center cluster.
properties:
authenticationType:
description: authenticationType describes the authentication method
for the Kafka cluster.
type: string
bootstrapEndpoint:
description: bootstrapEndpoint specifies the Kafka bootstrap endpoint.
type: string
tls:
description: tls indicates whether TLS is enabled for the Kafka
dependency.
type: boolean
type: object
observedGeneration:
description: observedGeneration is the most recent generation observed
for this Confluent component.
format: int64
type: integer
operatorVersion:
description: operatorVersion is the internal version of CFK.
type: string
phase:
description: |-
phase describes the state of the Confluent Platform component. This can either be 'PROVISIONING'
or 'RUNNING'
'PROVISIONING' means the Confluent Platform component is currently getting deployed and not ready yet.
'RUNNING' means the Confluent Platform component has been successfully deployed.
type: string
rbac:
description: rbac contains the RBAC-related status when RBAC is enabled.
properties:
clusterID:
description: clusterID specifies the id of the cluster.
type: string
internalRolebindings:
description: internalRolebindings specifies the internal rolebindings.
items:
type: string
type: array
type: object
readyReplicas:
description: readyReplicas is the number of currently ready replicas.
format: int32
type: integer
replicas:
description: replicas is the number of replicas.
format: int32
type: integer
restConfig:
description: restConfig is the REST API configuration of the Control
Center cluster.
properties:
advertisedExternalEndpoints:
description: advertisedExternalEndpoints specifies other advertised
endpoints used, especially for Kafka.
items:
type: string
type: array
authenticationType:
description: authenticationType shows the authentication type
configured by the listener.
type: string
externalAccessType:
description: externalAccessType shows the external access type
used for the listener.
type: string
externalEndpoint:
description: externalEndpoint specifies the external endpoint
to connect to the Confluent component cluster.
type: string
internalEndpoint:
description: internalEndpoint specifies the internal endpoint
to connect to the Confluent component cluster.
type: string
tls:
description: tls shows whether TLS is configured for the listener.
type: boolean
type: object
selector:
description: |-
selector gets the label selector of the child pod.
The Horizontal Pod Autoscaler(HPA) will scale using the label selector of the child pod.
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
scale:
specReplicasPath: .spec.replicas
statusReplicasPath: .status.replicas
status: {}