mirror of
https://github.com/morten-olsen/homelab-operator.git
synced 2026-02-08 01:36:28 +01:00
376 lines
14 KiB
JSON
376 lines
14 KiB
JSON
{
|
|
"description": "AppProject provides a logical grouping of applications, providing controls for:\n* where the apps may deploy to (cluster whitelist)\n* what may be deployed (repository whitelist, resource whitelist/blacklist)\n* who can access these applications (roles, OIDC group claims bindings)\n* and what they can do (RBAC policies)\n* automation access to these roles (JWT tokens)",
|
|
"properties": {
|
|
"apiVersion": {
|
|
"description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
|
|
"type": "string"
|
|
},
|
|
"metadata": {
|
|
"type": "object"
|
|
},
|
|
"spec": {
|
|
"description": "AppProjectSpec is the specification of an AppProject",
|
|
"properties": {
|
|
"clusterResourceBlacklist": {
|
|
"description": "ClusterResourceBlacklist contains list of blacklisted cluster level resources",
|
|
"items": {
|
|
"description": "GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying\nconcepts during lookup stages without having partially valid types",
|
|
"type": "object",
|
|
"required": [
|
|
"group",
|
|
"kind"
|
|
],
|
|
"properties": {
|
|
"group": {
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"clusterResourceWhitelist": {
|
|
"description": "ClusterResourceWhitelist contains list of whitelisted cluster level resources",
|
|
"items": {
|
|
"description": "GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying\nconcepts during lookup stages without having partially valid types",
|
|
"type": "object",
|
|
"required": [
|
|
"group",
|
|
"kind"
|
|
],
|
|
"properties": {
|
|
"group": {
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"description": {
|
|
"description": "Description contains optional project description",
|
|
"type": "string"
|
|
},
|
|
"destinationServiceAccounts": {
|
|
"description": "DestinationServiceAccounts holds information about the service accounts to be impersonated for the application sync operation for each destination.",
|
|
"items": {
|
|
"description": "ApplicationDestinationServiceAccount holds information about the service account to be impersonated for the application sync operation.",
|
|
"type": "object",
|
|
"required": [
|
|
"defaultServiceAccount",
|
|
"server"
|
|
],
|
|
"properties": {
|
|
"defaultServiceAccount": {
|
|
"description": "DefaultServiceAccount to be used for impersonation during the sync operation",
|
|
"type": "string"
|
|
},
|
|
"namespace": {
|
|
"description": "Namespace specifies the target namespace for the application's resources.",
|
|
"type": "string"
|
|
},
|
|
"server": {
|
|
"description": "Server specifies the URL of the target cluster's Kubernetes control plane API.",
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"destinations": {
|
|
"description": "Destinations contains list of destinations available for deployment",
|
|
"items": {
|
|
"description": "ApplicationDestination holds information about the application's destination",
|
|
"type": "object",
|
|
"properties": {
|
|
"name": {
|
|
"description": "Name is an alternate way of specifying the target cluster by its symbolic name. This must be set if Server is not set.",
|
|
"type": "string"
|
|
},
|
|
"namespace": {
|
|
"description": "Namespace specifies the target namespace for the application's resources.\nThe namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace",
|
|
"type": "string"
|
|
},
|
|
"server": {
|
|
"description": "Server specifies the URL of the target cluster's Kubernetes control plane API. This must be set if Name is not set.",
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"namespaceResourceBlacklist": {
|
|
"description": "NamespaceResourceBlacklist contains list of blacklisted namespace level resources",
|
|
"items": {
|
|
"description": "GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying\nconcepts during lookup stages without having partially valid types",
|
|
"type": "object",
|
|
"required": [
|
|
"group",
|
|
"kind"
|
|
],
|
|
"properties": {
|
|
"group": {
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"namespaceResourceWhitelist": {
|
|
"description": "NamespaceResourceWhitelist contains list of whitelisted namespace level resources",
|
|
"items": {
|
|
"description": "GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying\nconcepts during lookup stages without having partially valid types",
|
|
"type": "object",
|
|
"required": [
|
|
"group",
|
|
"kind"
|
|
],
|
|
"properties": {
|
|
"group": {
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"orphanedResources": {
|
|
"description": "OrphanedResources specifies if controller should monitor orphaned resources of apps in this project",
|
|
"properties": {
|
|
"ignore": {
|
|
"description": "Ignore contains a list of resources that are to be excluded from orphaned resources monitoring",
|
|
"items": {
|
|
"description": "OrphanedResourceKey is a reference to a resource to be ignored from",
|
|
"type": "object",
|
|
"properties": {
|
|
"group": {
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"type": "string"
|
|
},
|
|
"name": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"warn": {
|
|
"description": "Warn indicates if warning condition should be created for apps which have orphaned resources",
|
|
"type": "boolean"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"permitOnlyProjectScopedClusters": {
|
|
"description": "PermitOnlyProjectScopedClusters determines whether destinations can only reference clusters which are project-scoped",
|
|
"type": "boolean"
|
|
},
|
|
"roles": {
|
|
"description": "Roles are user defined RBAC roles associated with this project",
|
|
"items": {
|
|
"description": "ProjectRole represents a role that has access to a project",
|
|
"type": "object",
|
|
"required": [
|
|
"name"
|
|
],
|
|
"properties": {
|
|
"description": {
|
|
"description": "Description is a description of the role",
|
|
"type": "string"
|
|
},
|
|
"groups": {
|
|
"description": "Groups are a list of OIDC group claims bound to this role",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"jwtTokens": {
|
|
"description": "JWTTokens are a list of generated JWT tokens bound to this role",
|
|
"type": "array",
|
|
"items": {
|
|
"description": "JWTToken holds the issuedAt and expiresAt values of a token",
|
|
"type": "object",
|
|
"required": [
|
|
"iat"
|
|
],
|
|
"properties": {
|
|
"exp": {
|
|
"type": "integer",
|
|
"format": "int64"
|
|
},
|
|
"iat": {
|
|
"type": "integer",
|
|
"format": "int64"
|
|
},
|
|
"id": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": {
|
|
"description": "Name is a name for this role",
|
|
"type": "string"
|
|
},
|
|
"policies": {
|
|
"description": "Policies Stores a list of casbin formatted strings that define access policies for the role in the project",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"signatureKeys": {
|
|
"description": "SignatureKeys contains a list of PGP key IDs that commits in Git must be signed with in order to be allowed for sync",
|
|
"items": {
|
|
"description": "SignatureKey is the specification of a key required to verify commit signatures with",
|
|
"type": "object",
|
|
"required": [
|
|
"keyID"
|
|
],
|
|
"properties": {
|
|
"keyID": {
|
|
"description": "The ID of the key in hexadecimal notation",
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
},
|
|
"sourceNamespaces": {
|
|
"description": "SourceNamespaces defines the namespaces application resources are allowed to be created in",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"sourceRepos": {
|
|
"description": "SourceRepos contains list of repository URLs which can be used for deployment",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"syncWindows": {
|
|
"description": "SyncWindows controls when syncs can be run for apps in this project",
|
|
"items": {
|
|
"description": "SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps",
|
|
"type": "object",
|
|
"properties": {
|
|
"andOperator": {
|
|
"description": "UseAndOperator use AND operator for matching applications, namespaces and clusters instead of the default OR operator",
|
|
"type": "boolean"
|
|
},
|
|
"applications": {
|
|
"description": "Applications contains a list of applications that the window will apply to",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"clusters": {
|
|
"description": "Clusters contains a list of clusters that the window will apply to",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"duration": {
|
|
"description": "Duration is the amount of time the sync window will be open",
|
|
"type": "string"
|
|
},
|
|
"kind": {
|
|
"description": "Kind defines if the window allows or blocks syncs",
|
|
"type": "string"
|
|
},
|
|
"manualSync": {
|
|
"description": "ManualSync enables manual syncs when they would otherwise be blocked",
|
|
"type": "boolean"
|
|
},
|
|
"namespaces": {
|
|
"description": "Namespaces contains a list of namespaces that the window will apply to",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"schedule": {
|
|
"description": "Schedule is the time the window will begin, specified in cron format",
|
|
"type": "string"
|
|
},
|
|
"timeZone": {
|
|
"description": "TimeZone of the sync that will be applied to the schedule",
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"status": {
|
|
"description": "AppProjectStatus contains status information for AppProject CRs",
|
|
"properties": {
|
|
"jwtTokensByRole": {
|
|
"additionalProperties": {
|
|
"description": "JWTTokens represents a list of JWT tokens",
|
|
"type": "object",
|
|
"properties": {
|
|
"items": {
|
|
"type": "array",
|
|
"items": {
|
|
"description": "JWTToken holds the issuedAt and expiresAt values of a token",
|
|
"type": "object",
|
|
"required": [
|
|
"iat"
|
|
],
|
|
"properties": {
|
|
"exp": {
|
|
"type": "integer",
|
|
"format": "int64"
|
|
},
|
|
"iat": {
|
|
"type": "integer",
|
|
"format": "int64"
|
|
},
|
|
"id": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"description": "JWTTokensByRole contains a list of JWT tokens issued for a given role",
|
|
"type": "object"
|
|
}
|
|
},
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"metadata",
|
|
"spec"
|
|
],
|
|
"type": "object"
|
|
} |