VMAuth v1beta1 — operator.victoriametrics.com

configReloadAuthKeySecret object

ConfigReloadAuthKeySecret defines optional secret reference authKey for /-/reload API requests. Given secret reference will be added to the application and vm-config-reloader as volume available since v0.57.0 version

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

configReloaderResources object

ConfigReloaderResources config-reloader container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ if not defined default resources from operator config will be used

claims []object

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

defaultTargetRefs []object

DefaultTargetRefs list of named targetRefs, which may be referenced by VMUser and at unauthorizedUserAccessSpec.

crd object

CRD describes exist operator's CRD object, operator generates access url based on CRD params.

kind string required

Kind one of: VMAgent,VMAlert, VMSingle, VMCluster/vmselect, VMCluster/vmstorage,VMCluster/vminsert,VMAlertManager, VLSingle, VLCluster/vlinsert, VLCluster/vlselect, VLCluster/vlstorage, VTSingle, VTCluster/vtinsert, VTCluster/vtselect, VTCluster/vtstorage and VLAgent

enum:

VMAgent, VMAlert, VMSingle, VLogs, VMAlertManager, VMAlertmanager, VMCluster/vmselect, VMCluster/vmstorage, VMCluster/vm...

VMAgent, VMAlert, VMSingle, VLogs, VMAlertManager, VMAlertmanager, VMCluster/vmselect, VMCluster/vmstorage, VMCluster/vminsert, VLSingle, VLCluster/vlinsert, VLCluster/vlselect, VLCluster/vlstorage, VLAgent, VTCluster/vtinsert, VTCluster/vtselect, VTCluster/vtstorage, VTSingle

name string required

Name of the target Kubernetes object

namespace string required

Namespace of the target Kubernetes object

objects []object

Objects defines list of name/namespace pairs that define existing k8s object

name string required

Name of the target Kubernetes object

namespace string required

Namespace of the target Kubernetes object

discover_backend_ips boolean

DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS.

drop_src_path_prefix_parts integer

DropSrcPathPrefixParts is the number of `/`-delimited request path prefix parts to drop before proxying the request to backend. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#dropping-request-path-prefix) for more details.

headers []string

RequestHeaders represent additional http headers, that vmauth uses in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.68.0 version of vmauth

hosts []string

load_balancing_policy string

LoadBalancingPolicy defines load balancing policy to use for backend urls. Supported policies: least_loaded, first_available. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#load-balancing) for more details (default "least_loaded")

enum: least_loaded, first_available

name string

Name references item at VMAuths spec.defaultTargetRefs map, with name set other attributes are skipped

paths []string

Paths - matched path to route.

query_args []object

QueryArgs appends list of query arguments to generated URL

name string required

Name of query argument

values []string required

Values of query argument

response_headers []string

ResponseHeaders represent additional http headers, that vmauth adds for request response in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.93.0 version of vmauth

retry_status_codes []integer

RetryStatusCodes defines http status codes in numeric format for request retries Can be defined per target or at VMUser.spec level e.g. [429,503]

src_headers []string

SrcHeaders is an optional list of headers, which must match request headers.

src_query_args []string

SrcQueryArgs is an optional list of query args, which must match request URL query args.

static object

Static - user defined url for traffic forward, for instance http://vmsingle:8428

url string

URL http url for given staticRef.

urls []string

URLs allows setting multiple urls for load-balancing at vmauth-side.

targetRefBasicAuth object

TargetRefBasicAuth allow an target endpoint to authenticate over basic authentication

password object required

The secret in the service scrape namespace that contains the password for authentication. It must be at them same namespace as CRD

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

username object required

The secret in the service scrape namespace that contains the username for authentication. It must be at them same namespace as CRD

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

target_path_suffix string

TargetPathSuffix allows to add some suffix to the target path It allows to hide tenant configuration from user with crd as ref. it also may contain any url encoded params.

dnsConfig object

Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.

nameservers []string

A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.

options []object

A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.

name string

Name is this DNS resolver option's name. Required.

value string

Value is this DNS resolver option's value.

searches []string

A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.

externalConfig object

ExternalConfig defines a source of external VMAuth configuration. If it's defined, configuration for vmauth becomes unmanaged and operator'll not create any related secrets/config-reloaders

localPath string

LocalPath contains static path to a config, which is managed externally for cases when using secrets is not applicable, e.g.: Vault sidecar.

secretRef object

SecretRef defines selector for externally managed secret which contains configuration

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

extraEnvs []object

ExtraEnvs that will be passed to the application container

name string required

Name of the environment variable. May consist of any printable ASCII characters except '='.

value string

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".

extraEnvsFrom []object

ExtraEnvsFrom defines source of env variables for the application container could either be secret or configmap

configMapRef object

The ConfigMap to select from

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the ConfigMap must be defined

prefix string

Optional text to prepend to the name of each environment variable. May consist of any printable ASCII characters except '='.

secretRef object

The Secret to select from

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret must be defined

hostAliases []object

HostAliases provides mapping for ip and hostname, that would be propagated to pod, cannot be used with HostNetwork.

hostnames []string

Hostnames for the above IP address.

ip string required

IP address of the host file entry.

host_aliases []object

HostAliasesUnderScore provides mapping for ip and hostname, that would be propagated to pod, cannot be used with HostNetwork. Has Priority over hostAliases field

hostnames []string

Hostnames for the above IP address.

ip string required

IP address of the host file entry.

hpa object

Configures horizontal pod autoscaling.

behaviour object

HorizontalPodAutoscalerBehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).

scaleDown object

scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used).

policies []object

policies is a list of potential scaling polices which can be used during scaling. If not set, use the default values: - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window.

periodSeconds integer required

periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).

format: int32

type string required

type is used to specify the scaling policy.

value integer required

value contains the amount of change which is permitted by the policy. It must be greater than zero

format: int32

selectPolicy string

selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.

stabilizationWindowSeconds integer

stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).

format: int32

tolerance string | integer

tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%). For example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi. This is an beta field and requires the HPAConfigurableTolerance feature gate to be enabled.

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

scaleUp object

scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of: * increase no more than 4 pods per 60 seconds * double the number of pods per 60 seconds No stabilization is used.

policies []object

policies is a list of potential scaling polices which can be used during scaling. If not set, use the default values: - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window.

periodSeconds integer required

periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).

format: int32

type string required

type is used to specify the scaling policy.

value integer required

value contains the amount of change which is permitted by the policy. It must be greater than zero

format: int32

selectPolicy string

selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.

stabilizationWindowSeconds integer

stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).

format: int32

tolerance string | integer

tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%). For example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi. This is an beta field and requires the HPAConfigurableTolerance feature gate to be enabled.

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

maxReplicas integer

format: int32

metrics []object

containerResource object

containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.

container string required

container is the name of the container in the pods of the scaling target

name string required

name is the name of the resource in question.

target object required

target specifies the target value for the given metric

averageUtilization integer

averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type

format: int32

averageValue string | integer

averageValue is the target value of the average of the metric across all relevant pods (as a quantity)

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

type string required

type represents whether the metric type is Utilization, Value, or AverageValue

value string | integer

value is the target value of the metric (as a quantity).

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

external object

external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).

metric object required

metric identifies the target metric by name and selector

name string required

name is the name of the given metric

selector object

selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

target object required

target specifies the target value for the given metric

averageUtilization integer

averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type

format: int32

averageValue string | integer

averageValue is the target value of the average of the metric across all relevant pods (as a quantity)

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

type string required

type represents whether the metric type is Utilization, Value, or AverageValue

value string | integer

value is the target value of the metric (as a quantity).

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

object object

object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).

describedObject object required

describedObject specifies the descriptions of a object,such as kind,name apiVersion

apiVersion string

apiVersion is the API version of the referent

kind string required

kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

name string required

name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

metric object required

metric identifies the target metric by name and selector

name string required

name is the name of the given metric

selector object

selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

target object required

target specifies the target value for the given metric

averageUtilization integer

averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type

format: int32

averageValue string | integer

averageValue is the target value of the average of the metric across all relevant pods (as a quantity)

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

type string required

type represents whether the metric type is Utilization, Value, or AverageValue

value string | integer

value is the target value of the metric (as a quantity).

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

pods object

pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.

metric object required

metric identifies the target metric by name and selector

name string required

name is the name of the given metric

selector object

selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

target object required

target specifies the target value for the given metric

averageUtilization integer

averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type

format: int32

averageValue string | integer

averageValue is the target value of the average of the metric across all relevant pods (as a quantity)

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

type string required

type represents whether the metric type is Utilization, Value, or AverageValue

value string | integer

value is the target value of the metric (as a quantity).

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

resource object

resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.

name string required

name is the name of the resource in question.

target object required

target specifies the target value for the given metric

averageUtilization integer

averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type

format: int32

averageValue string | integer

averageValue is the target value of the average of the metric across all relevant pods (as a quantity)

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

type string required

type represents whether the metric type is Utilization, Value, or AverageValue

value string | integer

value is the target value of the metric (as a quantity).

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

type string required

type is the type of metric source. It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object.

minReplicas integer

format: int32

httpRoute object

HTTPRoute enables httproute configuration for VMAuth.

annotations object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations

extraRules []object

ExtraRules defines custom HTTPRouteRule in raw form, bypassing Gateway API CEL validations.

hostnames []string

Hostnames defines a set of hostnames that should match against the HTTP Host header to select a HTTPRoute used to process the request.

labels object

Labels Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels

name string

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names

parentRefs []object

ParentRefs references the resources (usually Gateways) that a Route wants to be attached to.

group string

Group is the group of the referent. When unspecified, "gateway.networking.k8s.io" is inferred. To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). Support: Core

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string

Kind is kind of the referent. There are two kinds of parent resources with "Core" support: * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) Support for other resources is Implementation-Specific.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the referent. Support: Core

minLength: 1

maxLength: 253

namespace string

Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. <gateway:experimental:description> ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. </gateway:experimental:description> Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

minLength: 1

maxLength: 63

port integer

Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. <gateway:experimental:description> When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. </gateway:experimental:description> Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Extended

format: int32

minimum: 1

maximum: 65535

sectionName string

SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

image object

Image - docker image settings if no specified operator uses default version from operator config

pullPolicy string

PullPolicy describes how to pull docker image

repository string

Repository contains name of docker image + it's repository if needed

tag string

Tag contains desired docker image version

imagePullSecrets []object

ImagePullSecrets An optional list of references to secrets in the same namespace to use for pulling images from registries see https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

ingress object

Ingress enables ingress configuration for VMAuth.

annotations object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations

class_name string

ClassName defines ingress class name for VMAuth

extraRules []object

ExtraRules - additional rules for ingress, must be checked for correctness by user.

host string

host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the IP in the Spec of the parent Ingress. 2. The `:` delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue. host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.

http object

HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.

paths []object required

paths is a collection of paths that map requests to backends.

backend object required

backend defines the referenced service endpoint to which the traffic will be forwarded to.

resource object

resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with "Service".

apiGroup string

APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.

kind string required

Kind is the type of resource being referenced

name string required

Name is the name of resource being referenced

service object

service references a service as a backend. This is a mutually exclusive setting with "Resource".

name string required

name is the referenced service. The service must exist in the same namespace as the Ingress object.

port object

port of the referenced service. A port name or port number is required for a IngressServiceBackend.

name string

name is the name of the port on the Service. This is a mutually exclusive setting with "Number".

number integer

number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with "Name".

format: int32

path string

path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value "Exact" or "Prefix".

pathType string required

pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is done on a path element by element basis. A path element refers is the list of labels in the path split by the '/' separator. A request is a match for path p if every p is an element-wise prefix of p of the request path. Note that if the last element of the path is a substring of the last element in request path, it is not a match (e.g. /foo/bar matches /foo/bar/baz, but does not match /foo/barbaz). * ImplementationSpecific: Interpretation of the Path matching is up to the IngressClass. Implementations can treat this as a separate PathType or treat it identically to Prefix or Exact path types. Implementations are required to support all path types.

extraTls []object

ExtraTLS - additional TLS configuration for ingress must be checked for correctness by user.

hosts []string

hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.

secretName string

secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the "Host" header is used for routing.

host string

Host defines ingress host parameter for default rule It will be used, only if TlsHosts is empty

labels object

Labels Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels

name string

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names

paths []string

Paths defines ingress paths parameter for default rule

tlsHosts []string

TlsHosts configures TLS access for ingress, tlsSecretName must be defined for it.

tlsSecretName string

TlsSecretName defines secretname at the VMAuth namespace with cert and key https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

license object

License allows to configure license key to be used for enterprise features. Using license key is supported starting from VictoriaMetrics v1.94.0. See [here](https://docs.victoriametrics.com/victoriametrics/enterprise/)

forceOffline boolean

Enforce offline verification of the license key.

key string

Enterprise license key. This flag is available only in [VictoriaMetrics enterprise](https://docs.victoriametrics.com/victoriametrics/enterprise/). To request a trial license, [go to](https://victoriametrics.com/products/enterprise/trial)

keyRef object

KeyRef is reference to secret with license key for enterprise features.

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

reloadInterval string

Interval to be used for checking for license key changes. Note that this is only applicable when using KeyRef.

managedMetadata object

ManagedMetadata defines metadata that will be added to the all objects created by operator for the given CustomResource

annotations object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations

labels object

Labels Map of string keys and values that can be used to organize and categorize (scope and select) objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels

podDisruptionBudget object

PodDisruptionBudget created by operator

maxUnavailable string | integer

An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".

minAvailable string | integer

An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%".

selectorLabels object

replaces default labels selector generated by operator it's useful when you need to create custom budget

unhealthyPodEvictionPolicy string

UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods Valid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy. Available from operator v0.64.0

enum: IfHealthyBudget, AlwaysAllow

podMetadata object

PodMetadata configures Labels and Annotations which are propagated to the VMAuth pods.

annotations object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations

labels object

Labels Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels

name string

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names

readinessGates []object

ReadinessGates defines pod readiness gates

conditionType string required

ConditionType refers to a condition in the pod's condition list with matching type.

resources object

Resources container resource request and limits, https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ if not defined default resources from operator config will be used

claims []object

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This field depends on the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers.

name string required

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

rollingUpdate object

RollingUpdate - overrides deployment update params. Available from operator v0.64.0

maxSurge string | integer

The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.

maxUnavailable string | integer

The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.

serviceSpec object

ServiceSpec that will be added to vmsingle service spec

metadata object

EmbeddedObjectMetadata defines objectMeta for additional service.

annotations object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations

labels object

Labels Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels

name string

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names

spec object required

ServiceSpec describes the attributes that a user creates on a service. More info: https://kubernetes.io/docs/concepts/services-networking/service/

useAsDefault boolean

UseAsDefault applies changes from given service definition to the main object Service Changing from headless service to clusterIP or loadbalancer may break cross-component communication

tolerations []object

Tolerations If specified, the pod's tolerations.

effect string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator string

Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).

tolerationSeconds integer

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

format: int64

value string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

unauthorizedUserAccessSpec object

UnauthorizedUserAccessSpec defines unauthorized_user config section of vmauth config

default_url []string

DefaultURLs backend url for non-matching paths filter usually used for default backend with error message

discover_backend_ips boolean

DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS.

drop_src_path_prefix_parts integer

DropSrcPathPrefixParts is the number of `/`-delimited request path prefix parts to drop before proxying the request to backend. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#dropping-request-path-prefix) for more details.

dump_request_on_errors boolean

DumpRequestOnErrors instructs vmauth to return detailed request params to the client if routing rules don't allow to forward request to the backends. Useful for debugging `src_hosts` and `src_headers` based routing rules available since v1.107.0 vmauth version

headers []string

Headers represent additional http headers, that vmauth uses in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.68.0 version of vmauth

ip_filters object

IPFilters defines per target src ip filters supported only with enterprise version of [vmauth](https://docs.victoriametrics.com/victoriametrics/vmauth/#ip-filters)

allow_list []string

deny_list []string

load_balancing_policy string

LoadBalancingPolicy defines load balancing policy to use for backend urls. Supported policies: least_loaded, first_available. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#load-balancing) for more details (default "least_loaded")

enum: least_loaded, first_available

max_concurrent_requests integer

MaxConcurrentRequests defines max concurrent requests per user 300 is default value for vmauth

metric_labels object

MetricLabels - additional labels for metrics exported by vmauth for given user.

response_headers []string

ResponseHeaders represent additional http headers, that vmauth adds for request response in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.93.0 version of vmauth

retry_status_codes []integer

RetryStatusCodes defines http status codes in numeric format for request retries e.g. [429,503]

targetRefs []object

TargetRefs - reference to endpoints, which user may access.

crd object

CRD describes exist operator's CRD object, operator generates access url based on CRD params.

kind string required

Kind one of: VMAgent,VMAlert, VMSingle, VMCluster/vmselect, VMCluster/vmstorage,VMCluster/vminsert,VMAlertManager, VLSingle, VLCluster/vlinsert, VLCluster/vlselect, VLCluster/vlstorage, VTSingle, VTCluster/vtinsert, VTCluster/vtselect, VTCluster/vtstorage and VLAgent

enum:

VMAgent, VMAlert, VMSingle, VLogs, VMAlertManager, VMAlertmanager, VMCluster/vmselect, VMCluster/vmstorage, VMCluster/vm...

VMAgent, VMAlert, VMSingle, VLogs, VMAlertManager, VMAlertmanager, VMCluster/vmselect, VMCluster/vmstorage, VMCluster/vminsert, VLSingle, VLCluster/vlinsert, VLCluster/vlselect, VLCluster/vlstorage, VLAgent, VTCluster/vtinsert, VTCluster/vtselect, VTCluster/vtstorage, VTSingle

name string required

Name of the target Kubernetes object

namespace string required

Namespace of the target Kubernetes object

objects []object

Objects defines list of name/namespace pairs that define existing k8s object

name string required

Name of the target Kubernetes object

namespace string required

Namespace of the target Kubernetes object

discover_backend_ips boolean

DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS.

drop_src_path_prefix_parts integer

DropSrcPathPrefixParts is the number of `/`-delimited request path prefix parts to drop before proxying the request to backend. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#dropping-request-path-prefix) for more details.

headers []string

RequestHeaders represent additional http headers, that vmauth uses in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.68.0 version of vmauth

hosts []string

load_balancing_policy string

LoadBalancingPolicy defines load balancing policy to use for backend urls. Supported policies: least_loaded, first_available. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#load-balancing) for more details (default "least_loaded")

enum: least_loaded, first_available

name string

Name references item at VMAuths spec.defaultTargetRefs map, with name set other attributes are skipped

paths []string

Paths - matched path to route.

query_args []object

QueryArgs appends list of query arguments to generated URL

name string required

Name of query argument

values []string required

Values of query argument

response_headers []string

ResponseHeaders represent additional http headers, that vmauth adds for request response in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.93.0 version of vmauth

retry_status_codes []integer

RetryStatusCodes defines http status codes in numeric format for request retries Can be defined per target or at VMUser.spec level e.g. [429,503]

src_headers []string

SrcHeaders is an optional list of headers, which must match request headers.

src_query_args []string

SrcQueryArgs is an optional list of query args, which must match request URL query args.

static object

Static - user defined url for traffic forward, for instance http://vmsingle:8428

url string

URL http url for given staticRef.

urls []string

URLs allows setting multiple urls for load-balancing at vmauth-side.

targetRefBasicAuth object

TargetRefBasicAuth allow an target endpoint to authenticate over basic authentication

password object required

The secret in the service scrape namespace that contains the password for authentication. It must be at them same namespace as CRD

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

username object required

The secret in the service scrape namespace that contains the username for authentication. It must be at them same namespace as CRD

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

target_path_suffix string

TargetPathSuffix allows to add some suffix to the target path It allows to hide tenant configuration from user with crd as ref. it also may contain any url encoded params.

tlsConfig object

TLSConfig defines tls configuration for the backend connection

ca object

Struct containing the CA cert to use for the targets.

configMap object

ConfigMap containing data to use for the targets.

key string required

The key to select.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the ConfigMap or its key must be defined

secret object

Secret containing data to use for the targets.

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

caFile string

Path to the CA cert in the container to use for the targets.

cert object

Struct containing the client cert file for the targets.

configMap object

ConfigMap containing data to use for the targets.

key string required

The key to select.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the ConfigMap or its key must be defined

secret object

Secret containing data to use for the targets.

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

certFile string

Path to the client cert file in the container for the targets.

insecureSkipVerify boolean

Disable target certificate validation.

keyFile string

Path to the client key file in the container for the targets.

keySecret object

Secret containing the client key file for the targets.

key string required

The key of the secret to select from. Must be a valid secret key.

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

optional boolean

Specify whether the Secret or its key must be defined

serverName string

Used to verify the hostname for the targets.

url_map []object

URLMap defines url map for destination

discover_backend_ips boolean

DiscoverBackendIPs instructs discovering URLPrefix backend IPs via DNS.

drop_src_path_prefix_parts integer

DropSrcPathPrefixParts is the number of `/`-delimited request path prefix parts to drop before proxying the request to backend. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#dropping-request-path-prefix) for more details.

headers []string

RequestHeaders represent additional http headers, that vmauth uses in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.68.0 version of vmauth

load_balancing_policy string

LoadBalancingPolicy defines load balancing policy to use for backend urls. Supported policies: least_loaded, first_available. See [here](https://docs.victoriametrics.com/victoriametrics/vmauth/#load-balancing) for more details (default "least_loaded")

enum: least_loaded, first_available

response_headers []string

ResponseHeaders represent additional http headers, that vmauth adds for request response in form of ["header_key: header_value"] multiple values for header key: ["header_key: value1,value2"] it's available since 1.93.0 version of vmauth

retry_status_codes []integer

RetryStatusCodes defines http status codes in numeric format for request retries Can be defined per target or at VMUser.spec level e.g. [429,503]

src_headers []string

SrcHeaders is an optional list of headers, which must match request headers.

src_hosts []string

SrcHosts is an optional list of regular expressions, which must match the request hostname.

src_paths []string

SrcPaths is an optional list of regular expressions, which must match the request path.

src_query_args []string

SrcQueryArgs is an optional list of query args, which must match request URL query args.

url_prefix object

UrlPrefix contains backend url prefixes for the proxied request url. URLPrefix defines prefix prefix for destination

url_prefix object

URLPrefix defines url prefix for destination

userNamespaceSelector object

UserNamespaceSelector Namespaces to be selected for VMAuth discovery. Works in combination with Selector. NamespaceSelector nil - only objects at VMAuth namespace. Selector nil - only objects at NamespaceSelector namespaces. If both nil - behaviour controlled by selectAllByDefault

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

userSelector object

UserSelector defines VMUser to be selected for config file generation. Works in combination with NamespaceSelector. NamespaceSelector nil - only objects at VMAuth namespace. If both nil - behaviour controlled by selectAllByDefault

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

volumeMounts []object

VolumeMounts allows configuration of additional VolumeMounts on the output Deployment/StatefulSet definition. VolumeMounts specified will be appended to other VolumeMounts in the Application container

mountPath string required

Path within the container at which the volume should be mounted. Must not contain ':'.

mountPropagation string

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).

name string required

This must match the Name of a Volume.

readOnly boolean

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

recursiveReadOnly string

RecursiveReadOnly specifies whether read-only mounts should be handled recursively. If ReadOnly is false, this field has no meaning and must be unspecified. If ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason. If this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None). If this field is not specified, it is treated as an equivalent of Disabled.

subPath string

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

subPathExpr string

Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.

vpa object

Configures vertical pod autoscaling.

recommenders []object

Recommenders specifies custom VPA recommender names.

name string required

Name of the recommender responsible for generating recommendation for this object.

resourcePolicy object

ResourcePolicy controls how the autoscaler computes recommended resources per container.

containerPolicies []object

Per-container resource policies.

containerName string

Name of the container or DefaultContainerResourcePolicy, in which case the policy is used by the containers that don't have their own policy specified.

controlledResources []string

Specifies the type of recommendations that will be computed (and possibly applied) by VPA. If not specified, the default of [ResourceCPU, ResourceMemory] will be used.

controlledValues string

Specifies which resource values should be controlled. The default is "RequestsAndLimits".

enum: RequestsAndLimits, RequestsOnly

maxAllowed object

Specifies the maximum amount of resources that will be recommended for the container. The default is no maximum.

minAllowed object

Specifies the minimal amount of resources that will be recommended for the container. The default is no minimum.

mode string

Whether autoscaler is enabled for the container. The default is "Auto".

enum: Auto, Off

oomBumpUpRatio string | integer

oomBumpUpRatio is the ratio to increase memory when OOM is detected.

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

oomMinBumpUp string | integer

oomMinBumpUp is the minimum increase in memory when OOM is detected.

string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$

updatePolicy object

UpdatePolicy controls how the autoscaler applies changes to pod resources.

evictionRequirements []object

EvictionRequirements is a list of EvictionRequirements that need to evaluate to true in order for a Pod to be evicted. If more than one EvictionRequirement is specified, all of them need to be fulfilled to allow eviction.

changeRequirement string required

EvictionChangeRequirement refers to the relationship between the new target recommendation for a Pod and its current requests, what kind of change is necessary for the Pod to be evicted

enum: TargetHigherThanRequests, TargetLowerThanRequests

resources []string required

Resources is a list of one or more resources that the condition applies to. If more than one resource is given, the EvictionRequirement is fulfilled if at least one resource meets `changeRequirement`.

minReplicas integer

Minimal number of replicas which need to be alive for Updater to attempt pod eviction (pending other checks like PDB). Only positive values are allowed. Overrides global '--min-replicas' flag.

format: int32

updateMode string

Controls when autoscaler applies changes to the pod resources. The default is 'Recreate'.

enum: Off, Initial, Recreate, InPlaceOrRecreate, Auto