{{- if .Values.crds.install }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: rewritepolicies.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: rewritepolicy plural: rewritepolicies singular: rewritepolicy scope: Namespaced versions: - name: v1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: "Current Status of the CRD" jsonPath: .status.state - name: Message type: string description: "Status Message" jsonPath: .status.status_message schema: openAPIV3Schema: type: object properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" rewrite-policies: type: array items: type: object properties: servicenames: description: 'Name of the services that needs to be binded to rewrite policy.' type: array items: type: string maxLength: 127 goto-priority-expression: description: 'Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE. Specify one of the following values: * NEXT - Evaluate the policy with the next higher priority number. * END - End policy evaluation. Default value of goto-priority-expression: END' type: string maxLength: 1499 logpackets: type: object description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' properties: logexpression: description: 'Default-syntax expression that defines the format and content of the log message.' type: string maxLength: 7991 loglevel: description: 'Audit log level, which specifies the severity level of the log message being generated.' type: string enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] required: [logexpression, loglevel] rewrite-policy: type: object properties: rewrite-criteria: description: 'Expression against which traffic is evaluated.' type: string maxLength: 1299 default-action: description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition.' type: string maxLength: 77 enum: ['NOREWRITE', 'RESET', 'DROP'] operation: description: 'Type of user-defined rewrite action.' type: string enum: ["noop", "delete", "insert_http_header", "delete_http_header", "corrupt_http_header", "insert_before", "insert_after", "replace", "replace_http_res", "delete_all", "replace_all", "insert_before_all", "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", "replace_dns_header_field", "replace_dns_answer_section"] target: description: 'Default syntax expression that specifies which part of the request or response to rewrite.' type: string maxLength: 1229 modify-expression: description: 'Default syntax expression that specifies the content to insert into the request or response at the specified location, or that replaces the specified string.' type: string maxLength: 7991 multiple-occurence-modify: description: 'Search facility that is used to match multiple strings in the request or response.' type: string maxLength: 171 additional-multiple-occurence-modify: description: 'Specify additional criteria to refine the results of the search. Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data and "n" specifies number of bytes to the right of selected data. You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' type: string maxLength: 1299 direction: description: 'Bind point to which to bind the policy.' type: string enum: ["REQUEST","RESPONSE"] comment: description: 'Any comments to preserve information about this rewrite policy.' type: string maxLength: 255 required: [rewrite-criteria, operation, target, direction] required: [rewrite-policy] responder-policies: type: array items: type: object properties: servicenames: description: 'Name of the services that needs to be binded to responder policy.' type: array items: type: string maxLength: 127 goto-priority-expression: description: 'Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE. Specify one of the following values: * NEXT - Evaluate the policy with the next higher priority number. * END - End policy evaluation. Default value of goto-priority-expression: END' type: string maxLength: 1499 logpackets: type: object description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' properties: logexpression: description: 'Default-syntax expression that defines the format and content of the log message.' type: string maxLength: 7991 loglevel: description: 'Audit log level, which specifies the severity level of the log message being generated.' type: string enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] required: [logexpression, loglevel] responder-policy: type: object properties: redirect: type: object description: 'Use this option when you want to Redirect the request when request matches to policy.' properties: url: description: 'URL on which you want to redirect the request.' type: string maxLength: 7991 redirect-status-code: description: 'HTTP response status code, for example 200, 302, 404, etc.' type: integer minimum: 100 maximum: 599 redirect-reason: description: 'Expression specifying the reason for redirecting the request.' type: string maxLength: 7991 required: [url] respondwith: type: object description: 'Use this parameter when you want to respond to the request when request matches to policy.' properties: http-payload-string: description: 'Expression that you want to sent as response to the request.' type: string maxLength: 7991 required: [http-payload-string] noop: type: string description: 'Use this option when you want to send the request to the protected server instead of responding to it when request matches to policy.' properties: target: description: 'Default syntax expression that specifies to perform noop operation on' type: string maxLength: 1229 reset: type: string description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' properties: drop: type: string description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' properties: respond-criteria: description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' type: string maxLength: 1299 default-action: description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition.' type: string maxLength: 77 enum: ['NOOP', 'RESET', 'DROP'] comment: description: 'Any comments to preserve information about this responder policy.' type: string maxLength: 255 required: [respond-criteria] oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] required: [responder-policy] dataset: type: array items: type: object properties: name: description: 'Name of the dataset.' type: string maxLength: 32 type: description: 'Type of value to bind to the dataset.' type: string enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] comment: description: 'Any comments to preserve information about this dataset.' type: string maxLength: 255 values: description: 'Value of the specified type that is associated with this dataset.' type: array items: type: string required: [name, type, values] patset: type: array items: type: object properties: name: description: 'Name of the Patset.' type: string maxLength: 32 comment: description: 'Any comments to preserve information about this patset.' type: string maxLength: 255 values: description: 'String of characters that constitutes a pattern and is associated with this patset.' type: array items: type: string required: [name, values] stringmap: type: array items: type: object properties: name: description: 'Name of the Stringmap.' type: string maxLength: 32 comment: description: 'Any comments to preserve information about this stringmap.' type: string maxLength: 255 values: description: 'List of (key,value) pairs to be bound to this string map.' type: array items: type: object properties: key: description: 'Character string constituting the key to be bound to this string map.' type: string maxLength: 2047 value: description: 'Character string constituting the value associated with the key.' type: string maxLength: 2047 required: [name, values] httpcallout_policy: type: array items: type: object properties: name: description: 'httpcallout name' type: string maxLength: 32 server_ip: description: 'IP Address of the server(callout agent) to which the callout is sent.' type: string server_port: description: 'Port of the server(callout agent) to which the callout is sent.' type: integer minimum: 1 maximum: 65535 http_method: description: |+ 'Method used in the HTTP request that this callout sends. Default http method is GET' type: string enum: ['GET', 'POST'] host_expr: description: |+ 'String expression to configure the Host header. Can contain a literal value (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). The literal value can be an IP address or a fully qualified domain name. Mutually exclusive with the full HTTP request expression.' type: string maxLength: 255 url_stem_expr: description: |+ 'String expression for generating the URL stem. Can contain a literal string (for example, "/mysite/index.html") or an expression that derives the value (for example, http.req.url).' type: string maxLength: 8191 headers: type: array description: |+ 'One or more headers to insert into the HTTP request. Each header is represented by name and expr, where expr is an expression that is evaluated at runtime to provide the value for the named header. You can configure a maximum of eight headers for an HTTP callout.' items: type: object properties: name: description: 'header name' type: string expr: description: 'header expression' type: string parameters: type: array description: |+ 'One or more query parameters to insert into the HTTP request URL (for a GET request) or into the request body (for a POST request). Each parameter is represented by name and expr, where expr is an expression that is evaluated at run time to provide the value for the named parameter (name=value). The parameter values are URL encoded.' items: type: object properties: name: description: 'parameter name' type: string expr: description: 'parameter expression' type: string body_expr: description: |+ 'An advanced string expression for generating the body of the request. The expression can contain a literal string or an expression that derives the value (for example, client.ip.src).' type: string full_req_expr: description: |+ 'Exact HTTP request, in the form of an expression, which the Citrix ADC sends to the callout agent. The request expression is constrained by the feature for which the callout is used. For example, an HTTP.RES expression cannot be used in a request-time policy bank or in a TCP content switching policy bank.' type: string scheme: description: |+ 'Type of scheme for the callout server. Default scheme is HTTP' type: string enum: ['HTTP', 'HTTPS'] cache_for_secs: description: |+ 'Duration, in seconds, for which the callout response is cached. The cached responses are stored in an integrated caching content group named "calloutContentGroup". If no duration is configured, the callout responses will not be cached unless normal caching configuration is used to cache them. This parameter takes precedence over any normal caching configuration that would otherwise apply to these responses.' type: integer minimum: 1 maximum: 31536000 return_type: description: |+ 'Type of data that the target callout agent returns in response to the callout Available settings function as follows: * TEXT - Treat the returned value as a text string. * NUM - Treat the returned value as a number. * BOOL - Treat the returned value as a Boolean value.' type: string enum: ['TEXT', 'NUM', 'BOOL'] result_expr: description: |+ 'Expression that extracts the callout results from the response sent by the HTTP callout agent. Must be a response based expression, that is, it must begin with HTTP.RES. The operations in this expression must match the return type. For example, if you configure a return type of TEXT, the result expression must be a text based expression. If the return type is NUM, the result expression (resultExpr) must return a numeric value, as in the following example: http.res.body(10000).length.' type: string maxLength: 8191 comment: description: 'Any comments to preserve information about this HTTP callout.' type: string maxLength: 255 allOf: - properties: required: [name, server_ip, server_port] - properties: oneOf: - properties: required: [full_req_expr] - properties: anyOf: - properties: required: [http_method] - properties: required: [host_expr] - properties: required: [url_stem_expr] - properties: required: [headers] - properties: required: [parameters] - properties: required: [body_expr] anyOf: [required: [rewrite-policies], required: [responder-policies]] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ratelimits.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: ratelimit plural: ratelimits singular: ratelimit scope: Namespaced versions: - name: v1beta1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: "Current Status of the CRD" jsonPath: .status.state - name: Message type: string description: "Status Message" jsonPath: .status.status_message schema: openAPIV3Schema: type: object properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" servicenames: description: 'Name of the services to which the ratelimit policies are applied.' type: array items: type: string maxLength: 127 selector_keys: type: object description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' properties: basic: type: object description: "Basic traffic stream selection criteria to which to apply the ratelimit" properties: path: type: array description: "api resource path prefix match. e.g. /api/v1/products" items: type: string method: type: array items: type: string enum: ['GET', 'PUT', 'POST','DELETE'] header_name: description: "HTTP header that identifies the unique API client for e.g. X-apikey" type: string per_client_ip: description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" type: boolean req_threshold: description: 'Max requests per timeslice units to be allowed' type: integer timeslice: description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' type: integer limittype: description: "Burst mode or smooth. Defaults to smooth limittype if not specified" type: string enum: ['BURSTY','SMOOTH'] throttle_action: type: string enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" redirect_url: type: string description: "Redirect-URL" logpackets: type: object description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' properties: logexpression: description: 'Default-syntax expression that defines the format and content of the log message.' type: string maxLength: 7991 loglevel: description: 'Audit log level, which specifies the severity level of the log message being generated.' type: string enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] required: [logexpression, loglevel] required: [req_threshold] --- #Sample CRD instance #apiVersion: citrix.com/v1 #description: VIP for apache service #kind: vip #metadata: # name: service-apache # namespace: default #spec: # description: VIP for the apache Service # ipaddress: 10.99.98.90 # kind: service # name: apache apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: vips.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: vip plural: vips singular: vip scope: Namespaced versions: - name: v1 served: true storage: true additionalPrinterColumns: - jsonPath: .spec.ipaddress name: VIP type: string - name: Age type: date jsonPath: .metadata.creationTimestamp schema: openAPIV3Schema: type: object properties: spec: type: object properties: ipaddress: type: string name: type: string kind: type: string enum: ["service", "ingress"] description: type: string range-name: type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: authpolicies.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: authpolicy plural: authpolicies singular: authpolicy scope: Namespaced versions: - name: v1beta1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: 'Current Status of the CRD' jsonPath: .status.state - name: Message type: string description: 'Status Message' jsonPath: .status.status_message schema: openAPIV3Schema: type: object properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" servicenames: description: |+ 'Name of the services for which the policies applied' type: array items: type: string maxLength: 63 authentication_mechanism: type: object description: |+ 'Authentication mechanism. Options: using forms or using request header. Default is Authentication using request header, when no option is specified' properties: using_request_header: description: |+ 'Enable user authentication using request header. Use when the credentials or api keys are passed in a header. For example, when using Basic, Digest, Bearer authentication or api keys. When authentication using forms is provided, this is set to OFF' type: string using_forms: type: object description: 'Enables authentication using forms. Use with user/web authentication.' properties: authentication_host: description: |+ 'Fully qualified domain name (FQDN) for authentication. This FQDN should be unique and should resolve to frontend IP of ADC with Ingress/service type LoadBalancer (or) vip of Listener CRD' type: string maxLength: 255 authentication_host_cert: description: |+ 'Name of the SSL certificate to be used with authentication_host. This certificate is mandatory while using_forms' type: object properties: tls_secret: type: string description: 'Name of the Kubernetes Secret of type tls referring to Certificate' pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' preconfigured: type: string maxLength: 63 description: |+ 'Preconfigured SSL certkey name on ADC with the certificate and key already added on ADC' oneOf: - properties: required: [tls_secret] - properties: required: [preconfigured] ingress_name: description: |+ 'Ingress name for which the authentication using forms is applicable.' type: string maxLength: 63 lb_service_name: description: |+ 'Service of type LoadBalancer for which the authentication using forms is applicable.' type: string maxLength: 63 listener_name: description: |+ 'Listener CRD name for which the authentication using forms is applicable.' type: string maxLength: 63 vip: description: |+ 'Frontend IP of ingress for which the authentication using forms is applicable. This refers to frontend-ip provided with Ingress. It is suggested to use vip, if more than one Ingress resource use the same frontend-ip' type: string required: [authentication_host, authentication_host_cert] oneOf: - properties: required: [ingress_name] - properties: required: [lb_service_name] - properties: required: [listener_name] - properties: required: [vip] oneOf: - properties: using_request_header: enum: ['ON'] required: [using_request_header] - properties: required: [using_forms] authentication_providers: description: |+ 'Authentication Configuration for required authentication providers/schemes. One or more of these can be created' type: array items: description: 'Create config for a single authentication provider of a particular type' type: object properties: name: description: 'Name for this provider, has to be unique, referenced by authentication policies' type: string maxLength: 127 oauth: description: 'Authentication provided by external oAuth provider' type: object properties: issuer: description: 'Identity of the server whose tokens are to be accepted' type: string maxLength: 127 audience: description: 'Audience for which token sent by Authorization server is applicable' type: array items: type: string maxLength: 127 jwks_uri: description: |+ 'URL of the endpoint that contains JWKs (Json Web Key) for JWT (Json Web Token) verification' type: string maxLength: 127 introspect_url: description: ' URL of the introspection server' type: string maxLength: 127 client_credentials: description: |+ 'secrets object that contains Client Id and secret as known to Introspection server' type: string maxLength: 253 token_in_hdr: description: |+ 'custom header name where token is present, default is Authorization header' type: array items: type: string maxLength: 127 maxItems: 2 token_in_param: description: 'query parameter name where token is present' type: array items: type: string maxLength: 127 maxItems: 2 signature_algorithms: description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' type: array items: type: string enum: ['HS256', 'RS256', 'RS512'] claims_to_save: description: 'list of claims to be saved, used to create authorization policies' type: array items: type: string maxLength: 127 metadata_url: description: 'URL used to get OAUTH/OIDC provider metadata' type: string maxLength: 255 user_field: description: |+ 'Attribute in the token from which username should be extracted. by default, ADC looks at email attribute for user id' type: string maxLength: 127 default_group: description: |+ 'group assigned to the request if authentication succeeds, this is in addition to any extracted groups from token' type: string maxLength: 63 grant_type: description: 'used to specify the type of flow to the token end point, defaults to CODE' type: array items: type: string enum: ['CODE','PASSWORD'] pkce: description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' type: string enum: ['ENABLED', 'DISABLED'] token_ep_auth_method: description: |+ 'authentication method to be used with token end point, defaults to client_secret_post' type: string enum: ['client_secret_post', 'client_secret_jwt'] anyOf: - properties: required : [jwks_uri] - properties: required : [introspect_url, client_credentials] - properties: required : [metadata_url] ldap: description: 'LDAP authentication provider' type: object properties: server_ip: description: 'IP address assigned to the LDAP server' type: string server_name: description: 'LDAP server name as a FQDN' type: string maxLength: 127 server_port: description: 'Port on which the LDAP server accepts connections. Default is 389' type: integer minimum: 1 maximum: 65535 base: description: |+ 'Base (node) from which to start LDAP searches. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com' type: string maxLength: 127 server_login_credentials: description: |+ 'Kubernetes secret object providing credentials to login to LDAP server, The secret data should have username and password' type: string login_name: description: |+ 'LDAP login name attribute. The Citrix ADC uses the LDAP login name to query external LDAP servers or Active Directories' type: string maxLength: 127 security_type: description: |+ 'Type of security used for communications between the Citrix ADC and the LDAP server. Default is TLS' type: string enum: ['PLAINTEXT', 'TLS', 'SSL'] validate_server_cert: description: 'Validate LDAP Server certs. Default is NO' type: string enum: ['YES', 'NO'] hostname: description: |+ 'Hostname for the LDAP server. If validate_server_cert is ON, this must be the host name on the certificate from the LDAP A hostname mismatch will cause a connection failure' type: string maxLength: 127 sub_attribute_name: description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' type: string maxLength: 31 group_attribute_name: description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' type: string maxLength: 31 search_filter: description: |+ 'String to be combined with the default LDAP user search string to form the search value. For example, if the search filter "vpnallowed=true" is combined with the LDAP login name "samaccount" and the user-supplied username is "bob", the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" (Be sure to enclose the search string in two sets of double quotation marks)' type: string maxLength: 255 auth_timeout: description: |+ 'Number of seconds the Citrix ADC waits for a response from the server Default is 3' type: integer minimum: 1 maximum: 4294967295 password_change: description: 'Allow password change requests. Default is DISABLED' type: string enum: ['ENABLED', 'DISABLED'] attributes_to_save: description: |+ 'List of attribute names separated by comma which needs to be fetched from LDAP server and stored as key-value pair for the session on ADC' type: string maxLength: 2047 oneOf: - properties: required: [server_ip] - properties: required: [server_name] saml: description: |+ 'SAML authentication provider. Currently SAML is supported only with authentication mechanism using forms' type: object properties: metadata_url: description: 'URL is used for obtaining saml metadata.' type: string maxLength: 255 metadata_refresh_interval: description: |+ 'Interval in minutes for fetching metadata from specified metadata URL. Default is 36000' type: integer minimum: 1 maximum: 4294967295 signing_cert: description: 'SSL certificate to sign requests from SP to IDP' type: object properties: tls_secret: type: string description: 'Name of the Kubernetes Secret of type tls referring to Certificate' pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' preconfigured: type: string maxLength: 63 description: |+ 'Preconfigured SSL certkey name on ADC with the certificate and key already added on ADC' oneOf: - properties: required: [tls_secret] - properties: required: [preconfigured] audience: description: 'Audience for which assertion sent by IdP is applicable' type: string maxLength: 127 issuer_name: description: 'The name to be used in requests sent from SP to IDP to identify citrix ADC' type: string maxLength: 63 binding: description: 'Specifies the transport mechanism of saml message. Default is POST' type: string enum: ['REDIRECT', 'POST', 'ARTIFACT'] artifact_resolution_service_url: description: 'URL of the Artifact Resolution Service on IdP' type: string maxLength: 255 logout_binding: description: 'Specifies the transport mechanism of saml logout. Default is POST' type: string enum: ['REDIRECT', 'POST'] reject_unsigned_assertion: description: |+ 'Reject unsigned SAML assertions. ON, rejects assertion without signature. STRICT ensure that both Response and Assertion are signed. Default is ON' type: string enum: ['ON', 'OFF', 'STRICT'] user_field: description: 'SAML user ID, as given in the SAML assertion' type: string maxLength: 63 default_authentication_group: description: |+ 'This is the default group that is chosen when the authentication succeeds in addition to extracted groups' type: string maxLength: 63 skew_time: description: |+ 'Allowed clock skew in number of minutes on an incoming assertion. Default is 5' type: integer minimum: 1 attributes_to_save: description: |+ 'List of attribute names separated by comma which needs to be extracted and stored as key-value pair for the session on ADC' type: string maxLength: 2047 required: - metadata_url basic_local_db: type: object description: |+ 'Basic HTTP authentication supported by ADC, user data in local DB of ADC. Users needs to be added on ADC' properties: use_local_auth: description: 'Use ADC authentication' type: string enum: ['YES'] required: - name authentication_policies: description: 'Authentication policies' type: array items: type: object description: 'Authentication policy' properties: resource: type: object description: 'endpoint/resource selection criteria' properties: path: description: 'api resource path e.g. /products. ' type: array items: type: string maxLength: 511 method: type: array items: type: string enum: ['GET', 'PUT', 'POST','DELETE'] required: - path expression: description: 'ADC syntax expression for authentication' type: string maxLength: 1229 provider: description: 'name of the authentication provider for the policy, empty if no authentication required' type: array items: type: string maxLength: 127 maxItems: 1 oneOf: - required: [resource, provider] - required: [expression, provider] authorization_policies: description: 'Authorization policies' type: array items: type: object description: 'Authorization policy' properties: resource: type: object description: 'endpoint/resource selection criteria' properties: path: description: 'api resource path e.g. /products. ' type: array items: type: string maxLength: 511 method: description: ' http method' type: array items: type: string enum: ['GET', 'PUT', 'POST','DELETE'] claims: description: 'authorization scopes required for selected resource saved as claims or attributes' type: array items: type: object properties: name: description: 'name of the claim/attribute to check' type: string maxLength: 127 values: description: 'list of claim values required for the request' type: array items: type: string maxLength: 127 minItems: 1 required: - name - values required: - claims expression: description: 'ADC syntax expression for authorization' type: string maxLength: 1229 oneOf: - required: [resource] - required: [expression] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: listeners.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com version: null names: kind: Listener plural: listeners singular: listener scope: Namespaced versions: - name: v1 served: true storage: true schema: openAPIV3Schema: required: [spec] type: object properties: status: type: object properties: state: type: string status_message: type: string spec: type: object required: [protocol] properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" protocol: type: string enum: ["https", "http"] description: "Protocol for this listener" vip: type: string description: "VIP address, Optional for CPX, required for Tier-1 deployments" secondaryVips: type: array description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" minItems: 1 items: type: string redirectPort: type: integer minimum: 1 maximum: 65535 description: "Port from which http traffic should be redirected to https" port: type: integer minimum: 1 maximum: 65535 certificates: type: array description: "certificates attached to the endpoints - Not applicable for HTTP" minItems: 1 items: type: object properties: preconfigured: type: string description: "Preconfigured Certificate name on ADC " secret: type: object description: "Kuberentes secret object" required: [name] properties: name: type: string description: "name of the Kubernetes Secret object where Cert is located" pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' namespace: type: string description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' default: type: boolean description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" oneOf: - required: ["preconfigured"] - required: ["secret"] policies: type: object description: "Policies attached to the Listener" properties: httpprofile: type: object description: "HTTP profile configurations for the Listener, HTTP level configurations" properties: preconfigured: type: string description: "Preconfigured or Built-in HTTP profile name" config: type: object description: "HTTP profile configuration for the listener. For individual fields, refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nshttpprofile/nshttpprofile/ Name field is auto populated" additionalProperties: type: string oneOf: - required: ["preconfigured"] - required: ["config"] tcpprofile: type: object description: "TCP level configurations, uses ns tcpprofile of citrix ADC" properties: preconfigured: description: "Preconfigured or Built-in TCP profile name" type: string config: type: object description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ns/nstcpprofile/ ; Name field is auto populated" additionalProperties: type: string oneOf: - required: ["preconfigured"] - required: ["config"] csvserverConfig: type: object description: "CS Vserver configuration for the listener" additionalProperties: type: string sslprofile: type: object description: "SSL profile configuration" properties: preconfigured: type: string description: "SSL profile which is preconfigured in ADC. Ciphers bound to the profile is not overriden" config: description: "Citrix ADC frontend SSL profile configurations. Refer:https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/ssl/sslprofile/ for all configurations; Name field is auto generated" type: object additionalProperties: type: string oneOf: - required: ["preconfigured"] - required: ["config"] sslciphers: type: array description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" minItems: 1 items: type: string description: "Cipher suite, cipher group name" analyticsprofile: type: object description: "Analytics profile configuration" properties: preconfigured: type: array description: "Preconfigured Analytics profile that needs to be bound to the vserver" minItems: 1 items: type: string description: "Name of the analytics profile preconfigured that will be bound to the Vserver" config: type: array description: "An array of analytics to be enabled" minItems: 1 items: type: object description: "Anlytics to be enabled" required: ['type'] properties: type: description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " type: string enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] parameters: type: object description: "Additional parameters for analytics profile. Please refer:https://developer-docs.citrix.com/projects/citrix-adc-nitro-api-reference/en/latest/configuration/analytics/analyticsprofile/" additionalProperties: type: string oneOf: - required: ["preconfigured"] - required: ["config"] routes: type: array description: "List of route objects attached to the listener" minItems: 1 items: type: object properties: name: type: string description: "Name of the HTTPRoute object" pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' namespace: type: string description: "Namespace of the HTTPRoute object" pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' labelSelector: description: "Labels key value pair, if the route carries the same labels, it is automatically attached" type: object additionalProperties: type: string oneOf: - required: [name, namespace] - required: [labelSelector] defaultAction: type: object description: "Default action for the listener: One of Backend or Redirect" properties: backend: type: object oneOf: - required: [kube] properties: kube: type: object required: [service, port] properties: service: description: "Name of the backend service" type: string pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' port: description: "Service port" type: integer minimum: 1 maximum: 65535 namespace: description: "Service namespace" type: string pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' backendConfig: description: "General backend service options" type: object properties: secure_backend: description: "Use Secure communications to the backends" type: boolean lbConfig: description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" type: object additionalProperties: type: string servicegroupConfig: description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" type: object additionalProperties: type: string redirect: type: object oneOf: - required: [targetExpression] - required: [hostRedirect] - required: [httpsRedirect] properties: httpsRedirect: description: "Change the scheme from http to https keeping URL intact" type: boolean hostRedirect: description: "Host name specified is used for redirection with URL intact" type: string targetExpression: description: "A target can be specified using Citrix ADC policy expression" type: string responseCode: description: "Default response code is 302, which can be customised using this attribute" type: integer minimum: 100 maximum: 599 oneOf: - required: ["backend"] - required: ["redirect"] subresources: # status enables the status subresource. status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: httproutes.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com version: null names: kind: HTTPRoute plural: httproutes singular: httproute scope: Namespaced versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object required: [spec] properties: status: type: object properties: state: type: string status_message: type: string spec: type: object required: [rules] properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" hostname: type: array description: "List of domain names that share the same route, default is '*'" minItems: 1 items: type: string description: "Domain name" rules: type: array description: "List Content routing rules with an action defined" minItems: 1 items: type: object required: [name, action] properties: name: type: string description: "A name to represent the rule, this is used as an identifier in content routing policy name in ADC" minLength: 1 maxLength: 20 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' match: type: array description: "List of rules with same action" minItems: 1 items: type: object anyOf: - required: [path] - required: [headers] - required: [cookies] - required: [queryParams] - required: [method] - required: [policyExpression] properties: path: type: object description: "URL Path based content routing" properties: prefix: type: string description: "URL path matches the prefix expression" exact: type: string description: "URL Path must match exact path" regex: type: string description: "PCRE based regex expression for path matching" headers: type: array description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" minItems: 1 items: type: object description: "Header details for content routing, Check for existence of a header or header name-value match" properties: headerName: type: object description: "Header name based content routing, Here existence of header is used for routing" properties: exact: type: string description: "Header Name - treated as exact must exist" contains: type: string description: "Header Name - A header must exist that contain the string the name" regex: type: string description: "header Name - treated as PCRE regex expression" not: type: boolean description: "Default False, if present, rules are inverted. I.e header name must not exist" oneOf: - required: [exact] - required: [contains] - required: [regex] headerValue: type: object description: "Header Name and Value based match" properties: name: type: string description: "Header name that must match the value" exact: type: string description: "Header value - treated as exact" contains: type: string description: "Header value - treated as contains" regex: type: string description: "header value - treated as PCRE regex expression" not: type: boolean description: "Default False, if present, rules are inverted. I.e header if present must not match the value" oneOf: - required: [name, exact] - required: [name, contains] - required: [name, regex] queryParams: type: array description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" minItems: 1 items: type: object description: "Query parameters Name and Value based match" properties: name: type: string description: "Query name that must match the value. If no value is specified, matches with any value" exact: type: string description: "Query value - Exact match" contains: type: string description: "Query value - value must have the string(substring)" regex: type: string description: "Query value - Value must match this regex patterm" not: type: boolean description: "Default False, if present, rules are inverted. I.e query if present must not match the value" anyOf: - required: [name] - oneOf: - required: [name, exact] - required: [name, contains] - required: [name, regex] cookies: type: array description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" minItems: 1 items: type: object description: "Cookie based routing" properties: name: type: string description: "cookie name that must match the value. If no value specified, it matches with any value" exact: type: string description: "cookie value - treated as exact" contains: type: string description: "cookie value - treated as substring" regex: type: string description: "cookie value - treated as PCRE regex expression" not: type: boolean description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" anyOf: - required: [name] - oneOf: - required: [name, exact] - required: [name, contains] - required: [name, regex] method: type: string description: "HTTP method for content routing eg: POST, PUT, DELETE etc" policyExpression: type: string description: "Citrix ADC policy expressions; refer: https://docs.citrix.com/en-us/netscaler/media/expression-prefix.pdf" action: type: object description: "Action for the matched rule" properties: backend: type: object oneOf: - required: [kube] properties: kube: type: object required: [service, port] properties: service: description: "Name of the backend service" type: string pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' port: description: "Service port" type: integer minimum: 1 maximum: 65535 backendConfig: type: object description: "General backend service options" properties: secureBackend: description: "Use Secure communications to the backends" type: boolean lbConfig: description: "Citrix ADC LB vserver configurations for the backend. Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/load-balancing/lbvserver/lbvserver/ for all configurations" type: object additionalProperties: type: string servicegroupConfig: description: "Citrix ADC service group configurations for the backend; Refer: https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/configuration/basic/servicegroup/servicegroup/ for all configurations" type: object additionalProperties: type: string redirect: type: object oneOf: - required: [targetExpression] - required: [hostRedirect] - required: [httpsRedirect] properties: httpsRedirect: description: "Change the scheme from http to https keeping URL intact" type: boolean hostRedirect: description: "Host name specified is used for redirection with URL intact" type: string targetExpression: description: "A target can be specified using Citrix ADC policy expression" type: string responseCode: description: "Default response code is 302, which can be customised using this attribute" type: integer minimum: 100 maximum: 599 oneOf: - required: ["backend"] - required: ["redirect"] subresources: # status enables the status subresource. status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: # name must match the spec fields below, and be in the form: . name: continuousdeployments.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: continuousdeployment plural: continuousdeployments singular: continuousdeployment scope: Namespaced versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object x-kubernetes-preserve-unknown-fields: true properties: cronSpec: type: integer --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: wafs.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: waf plural: wafs singular: waf scope: Namespaced versions: - name: v1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: "Current Status of the CRD" jsonPath: .status.state - name: Message type: string description: "Status Message" jsonPath: .status.status_message schema: openAPIV3Schema: type: object required: [spec] properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" servicenames: description: 'Name of the services to which the waf policies are applied.' type: array items: type: string maxLength: 127 application_type: description: 'Type of applications to protect' type: array items: type: string enum: ['HTML', 'JSON', 'XML'] signatures: description: 'Location of external signature file' type: string redirect_url: description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' type: string html_error_object: description: 'Location of customized error page to respond when html or common violation are hit' type: string xml_error_object: description: 'Location of customized error page to respond when xml violations are hit' type: string json_error_object: description: 'Location of customized error page to respond when json violations are hit' type: string ip_reputation: type: string x-kubernetes-preserve-unknown-fields: true description: 'Enabling IP reputation feature' target: description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' type: object properties: path: type: array description: "List of http urls to inspect" items: type: string description: "URL path" method: type: array description: "List of http methods to inspect" items: type: string enum: ['GET', 'PUT', 'POST','DELETE'] header: type: array description: "List of http headers to inspect" items: type: string description: "header name" security_checks: description: 'To enable/disable application firewall security checks' type: object properties: common: type: object x-kubernetes-preserve-unknown-fields: true html: type: object x-kubernetes-preserve-unknown-fields: true json: type: object x-kubernetes-preserve-unknown-fields: true xml: type: object x-kubernetes-preserve-unknown-fields: true settings: description: 'To fine tune application firewall security checks default settings' type: object properties: common: type: object x-kubernetes-preserve-unknown-fields: true html: type: object x-kubernetes-preserve-unknown-fields: true json: type: object x-kubernetes-preserve-unknown-fields: true xml: type: object x-kubernetes-preserve-unknown-fields: true relaxations: description: 'Section which contains relaxation rules for known traffic and false positives' type: object properties: common: type: object x-kubernetes-preserve-unknown-fields: true html: type: object x-kubernetes-preserve-unknown-fields: true json: type: object x-kubernetes-preserve-unknown-fields: true xml: type: object x-kubernetes-preserve-unknown-fields: true enforcements: description: 'Section which contains enforcement or restriction rules' type: object properties: common: type: object x-kubernetes-preserve-unknown-fields: true html: type: object x-kubernetes-preserve-unknown-fields: true json: type: object x-kubernetes-preserve-unknown-fields: true xml: type: object x-kubernetes-preserve-unknown-fields: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bots.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: bot plural: bots singular: bot scope: Namespaced versions: - name: v1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: "Current Status of the CRD" jsonPath: .status.state - name: Message type: string description: "Status Message" jsonPath: .status.status_message schema: openAPIV3Schema: type: object required: [spec] properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" servicenames: description: 'Name of the services to which the bot policies are applied.' type: array items: type: string maxLength: 127 signatures: description: 'Location of external bot signature file' type: string redirect_url: description: 'url to redirect when bot violation is hit' type: string target: description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' type: object properties: path: type: array description: "List of http urls to inspect" items: type: string description: "URL path" method: type: array description: "List of http methods to inspect" items: type: string enum: ['GET', 'PUT', 'POST','DELETE'] header: type: array description: "List of http headers to inspect" items: type: string description: "header name" security_checks: description: 'To enable/disable bot ecurity checks' type: object properties: allow_list: type: string enum: ['ON', 'OFF'] block_list: type: string enum: ['ON', 'OFF'] device_fingerprint: type: object x-kubernetes-preserve-unknown-fields: true reputation: type: string enum: ['ON', 'OFF'] ratelimit: type: string enum: ['ON', 'OFF'] tps: type: string enum: ['ON', 'OFF'] trap: type: object x-kubernetes-preserve-unknown-fields: true bindings: description: 'Section which contains binding rules for bot security checks' type: object properties: allow_list: type: array items: type: object properties: subnet: type: object x-kubernetes-preserve-unknown-fields: true ip: type: object x-kubernetes-preserve-unknown-fields: true expression: type: object x-kubernetes-preserve-unknown-fields: true block_list: type: array items: type: object properties: subnet: type: object x-kubernetes-preserve-unknown-fields: true ip: type: object x-kubernetes-preserve-unknown-fields: true expression: type: object x-kubernetes-preserve-unknown-fields: true ratelimit: type: array items: type: object properties: url: type: object x-kubernetes-preserve-unknown-fields: true ip: type: object x-kubernetes-preserve-unknown-fields: true cookie: type: object x-kubernetes-preserve-unknown-fields: true reputation: type: object x-kubernetes-preserve-unknown-fields: true captcha: type: array items: type: object x-kubernetes-preserve-unknown-fields: true properties: tps: type: object properties: geolocation: type: object x-kubernetes-preserve-unknown-fields: true host: type: object x-kubernetes-preserve-unknown-fields: true ip: type: object x-kubernetes-preserve-unknown-fields: true trapinsertion: type: object x-kubernetes-preserve-unknown-fields: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: apigatewaypolicies.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: apigatewaypolicy plural: apigatewaypolicies singular: apigatewaypolicy scope: Namespaced versions: - name: v1beta1 served: true storage: true additionalPrinterColumns: - name: Status type: string description: "Current Status of the CRD" jsonPath: .status.state - name: Message type: string description: "Status Message" jsonPath: .status.status_message subresources: status: {} schema: openAPIV3Schema: type: object required: [spec] properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: api_definition: type: object properties: repository: type: string branch: type: string oas_secret_ref: type: string files: type: array items: type: string maxLength: 127 api_proxy: type: object properties: ipaddress: type: string port: type: integer protocol: type: string secret: type: string policies: type: array items: type: object properties: name: type: string selector: type: array items: type: object properties: tags: type: array items: type: string api: type: string method: type: array items: type: string maxLength: 127 upstream: type: object properties: service: type: string port: type: integer policy_bindings: type: object properties: ratelimit: type: object properties: name: type: string waf: type: object properties: name: type: string rewritepolicy: type: object properties: name: type: string bot: type: object properties: name: type: string aaa: type: array items: type: object properties: crd_name: type: string mappings: type: array items: type: object properties: petstore_auth: type: string api_key: type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: corspolicies.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: corspolicy plural: corspolicies singular: corspolicy shortNames: - cp scope: Namespaced versions: - name: v1beta1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: 'Current Status of the CRD' jsonPath: .status.state - name: Message type: string description: 'Status Message' jsonPath: .status.status_message schema: openAPIV3Schema: type: object properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: ingressclass: type: string description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" servicenames: description: 'The list of Kubernetes services to which you want to apply the cors policies.' type: array items: type: string maxLength: 63 allow_origin: description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' type: array items: type: string maxLength: 2083 allow_methods: description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' type: array items: type: string maxLength: 127 allow_headers: description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' type: array items: type: string maxLength: 127 max_age: description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' type: integer allow_credentials: description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' type: boolean required: [servicenames, allow_origin, allow_methods, allow_headers] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: appqoepolicies.citrix.com {{- if .Values.crds.retainOnDelete }} annotations: "helm.sh/resource-policy": keep {{- end }} spec: group: citrix.com names: kind: appqoepolicy plural: appqoepolicies singular: appqoepolicy scope: Namespaced versions: - name: v1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: "Current Status of the CRD" jsonPath: .status.state - name: Message type: string description: "Status Message" jsonPath: .status.status_message schema: openAPIV3Schema: type: object properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: appqoe-policies: type: array items: type: object properties: servicenames: description: 'Name of the services that needs to be binded to appqoe policy.' type: array items: type: string maxLength: 127 appqoe-policy: type: object properties: operation-retry: type: object properties: on-reset: description: "To set Retry on Connection Reset or Not" type: string enum: ['YES','NO'] on-timeout: description: "Time in milliseconds for retry" type: integer minimum: 30 maximum: 2000 number-of-retries: description: "To set number of retries" type: integer minimum: 1 maximum: 7 required: [operation-retry] appqoe-criteria: description: 'Expression against which traffic is evaluated.' type: string maxLength: 1299 direction: description: 'Bind point to which to bind the policy.' type: string enum: ["REQUEST","RESPONSE"] required: [appqoe-criteria, operation-retry] required: [appqoe-policy] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: wildcarddnsentries.citrix.com spec: group: citrix.com names: kind: wildcarddnsentry plural: wildcarddnsentries singular: wildcarddnsentry scope: Namespaced versions: - name: v1 served: true storage: true subresources: status: {} additionalPrinterColumns: - name: Status type: string description: Current Status of the CRD jsonPath: .status.state - name: Message type: string description: Status Message jsonPath: .status.status_message schema: openAPIV3Schema: type: object properties: status: type: object properties: state: type: string status_message: type: string spec: type: object properties: zone: type: object description: DNS configuration for a zone properties: domain: type: string description: Domain name dnsaddrec: type: object description: DNS Address record properties: domain-ip: type: string description: IPv4 addresses to assign to the domain name ttl: type: integer description: >- TTL is the time for which the record must be cached by DNS proxies dnsaaaarec: type: object description: DNS AAAA record properties: domain-ip: type: string description: IPv6 addresses to assign to the domain name ttl: type: integer description: >- TTL is the time for which the record must be cached by DNS proxies soarec: type: object description: SOA record properties: origin-server: type: string description: Origin server domain contact: type: string description: Admin contact serial: type: integer description: >- The secondary server uses this parameter to determine whether it requires a zone transfer from the primary server. refresh: type: integer description: >- Time, in seconds, for which a secondary server must wait between successive checks on the value of the serial number. retry: type: integer description: >- Time, in seconds, between retries if a secondary server's attempt to contact the primary server for a zone refresh fails. expire: type: integer description: >- Time, in seconds, after which the zone data on a secondary nameserver can no longer be considered authoritative because all refresh and retry attempts made during the period have failed." nsrec: type: object description: Name server record properties: nameserver: type: string description: Host name of the name server to add to the domain. ttl: type: integer description: >- Time to Live (TTL), in seconds, for the record. TTL is the time for which the record must be cached by DNS proxies. The specified TTL is applied to all the resource records that are of the same record type and belong to the specified domain name --- {{- end }}