NAIS Application referenceΒΆ
This document describes all possible configuration values in the Application
spec, commonly known as the nais.yaml
file.
accessPolicyΒΆ
By default, no traffic is allowed between applications inside the cluster. Configure access policies to explicitly allow communication between applications. This is also used for granting inbound access in the context of Azure AD and TokenX clients.
Relevant information:
Type: object
Required: false
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
outbound:
external:
- host: external-application.example.com
- host: non-http-service.example.com
ports:
- port: 9200
- ipv4: 1.2.3.4
- host: non-http-service.example.com
ports:
- port: 9200
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
accessPolicy.inboundΒΆ
Configures inbound access for your application.
Type: object
Required: false
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.inbound.rulesΒΆ
List of NAIS applications that may access your application. These settings apply both to Zero Trust network connectivity and token validity for Azure AD and TokenX tokens.
Type: array
Required: true
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.inbound.rules[].applicationΒΆ
The application's name.
Type: string
Required: true
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.inbound.rules[].clusterΒΆ
The application's cluster. May be omitted if it should be in the same cluster as your application.
Type: string
Required: false
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.inbound.rules[].namespaceΒΆ
The application's namespace. May be omitted if it should be in the same namespace as your application.
Type: string
Required: false
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.inbound.rules[].permissionsΒΆ
Permissions contains a set of permissions that are granted to the given application. Currently only applicable for Azure AD clients.
Relevant information:
Type: object
Required: false
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.inbound.rules[].permissions.rolesΒΆ
Roles is a set of custom permission roles that are granted to a given application.
Relevant information:
Type: array
Required: false
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.inbound.rules[].permissions.scopesΒΆ
Scopes is a set of custom permission scopes that are granted to a given application.
Relevant information:
Type: array
Required: false
Example
spec:
accessPolicy:
inbound:
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
- application: app4
permissions:
scopes:
- custom-scope
- application: app5
permissions:
roles:
- custom-role
- application: app6
permissions:
roles:
- custom-role
scopes:
- custom-scope
accessPolicy.outboundΒΆ
Configures outbound access for your application.
Type: object
Required: false
Example
spec:
accessPolicy:
outbound:
external:
- host: external-application.example.com
- host: non-http-service.example.com
ports:
- port: 9200
- ipv4: 1.2.3.4
- host: non-http-service.example.com
ports:
- port: 9200
rules:
- application: app1
- application: app2
namespace: q1
- application: app3
cluster: dev-gcp
namespace: q2
- application: '*'
namespace: q3
accessPolicy.outbound.externalΒΆ
List of external resources that your applications should be able to reach.
Type: array
Required: false
Availability: GCP
Example
accessPolicy.outbound.external[].hostΒΆ
The host that your application should be able to reach, i.e. without the protocol (e.g. https://
). "Host" and "IPv4" are mutually exclusive
Type: string
Required: false
Pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$
Example
accessPolicy.outbound.external[].ipv4ΒΆ
The IPv4 address that your application should be able to reach. "IPv4" and "Host" are mutually exclusive
Type: string
Required: false
Pattern: ^(([0-9])|([1-9][0-9])|(1([0-9]{2}))|(2[0-4][0-9])|(25[0-5]))((\.(([0-9])|([1-9][0-9])|(1([0-9]{2}))|(2[0-4][0-9])|(25[0-5]))){3})$
Example
accessPolicy.outbound.external[].portsΒΆ
List of port rules for external communication. Must be specified if using protocols other than HTTPS.
Type: array
Required: false
Example
accessPolicy.outbound.external[].ports[].portΒΆ
The port used for communication.
Type: integer
Required: true
Example
accessPolicy.outbound.rulesΒΆ
List of NAIS applications that your application needs to access. These settings apply to Zero Trust network connectivity.
Type: array
Required: false
Example
accessPolicy.outbound.rules[].applicationΒΆ
The application's name.
Type: string
Required: true
Example
accessPolicy.outbound.rules[].clusterΒΆ
The application's cluster. May be omitted if it should be in the same cluster as your application.
Type: string
Required: false
Example
accessPolicy.outbound.rules[].namespaceΒΆ
The application's namespace. May be omitted if it should be in the same namespace as your application.
Type: string
Required: false
Example
azureΒΆ
Provisions and configures Azure resources.
Type: object
Required: false
Example
azure.applicationΒΆ
Configures an Entra ID client for this application.
Relevant information:
Type: object
Required: true
Example
azure.application.allowAllUsersΒΆ
AllowAllUsers grants all users within the tenant access to this application.
Relevant information:
Type: boolean
Required: false
Default value: false
azure.application.claimsΒΆ
Claims defines additional configuration of the emitted claims in tokens returned to the Azure AD application.
Type: object
Required: false
azure.application.claims.groupsΒΆ
Groups is a list of Azure AD group IDs to be emitted in the groups
claim in tokens issued by Azure AD.
This also assigns groups to the application for access control. Only direct members of the groups are granted access.
Relevant information:
Type: array
Required: false
azure.application.claims.groups[].idΒΆ
ID is the actual object ID
associated with the given group in Azure AD.
Type: string
Required: false
azure.application.enabledΒΆ
If enabled, provisions an Entra ID application.
Type: boolean
Required: true
Default value: false
azure.application.tenantΒΆ
Tenant targets a specific tenant for the Entra ID application. Only works in the development clusters. Only use this if you have a specific reason to do so. Using this will isolate your application from all other applications that are not using the same tenant.
Relevant information:
Type: enum
Required: false
Allowed values: nav.no
, trygdeetaten.no
azure.sidecarΒΆ
Sidecar configures a sidecar that intercepts every HTTP request, and performs the OIDC flow if necessary.
All requests to ingress + /oauth2
will be processed only by the sidecar, whereas all other requests
will be proxied to the application.
If the user is authenticated with Entra ID, the Authorization
header will be set to Bearer <JWT>
.
Relevant information:
Type: object
Required: false
Availability: GCP
Example
azure.sidecar.autoLoginΒΆ
Automatically redirect the user to login for all proxied GET requests.
Relevant information:
Type: boolean
Required: false
Default value: false
azure.sidecar.autoLoginIgnorePathsΒΆ
Absolute paths to ignore when auto-login is enabled.
Relevant information:
Type: array
Required: false
azure.sidecar.enabledΒΆ
Enable the sidecar.
Type: boolean
Required: true
azure.sidecar.resourcesΒΆ
Resource requirements for the sidecar container.
Type: object
Required: false
Example
azure.sidecar.resources.limitsΒΆ
Limit defines the maximum amount of resources a container can use before getting evicted.
Type: object
Required: false
azure.sidecar.resources.limits.cpuΒΆ
Type: string
Required: false
Pattern: ^\d+m?$
azure.sidecar.resources.limits.memoryΒΆ
Type: string
Required: false
Pattern: ^\d+[KMG]i$
azure.sidecar.resources.requestsΒΆ
Request defines the amount of resources a container is allocated on startup.
Type: object
Required: false
azure.sidecar.resources.requests.cpuΒΆ
Type: string
Required: false
Pattern: ^\d+m?$
azure.sidecar.resources.requests.memoryΒΆ
Type: string
Required: false
Pattern: ^\d+[KMG]i$
commandΒΆ
Override command when starting Docker image.
Type: array
Required: false
envΒΆ
Custom environment variables injected into your container.
Specify either value
or valueFrom
, but not both.
Type: array
Required: false
Example
env[].nameΒΆ
Environment variable name. May only contain letters, digits, and the underscore _
character.
Type: string
Required: true
Example
env[].valueΒΆ
Environment variable value. Numbers and boolean values must be quoted.
Required unless valueFrom
is specified.
Type: string
Required: false
Example
env[].valueFromΒΆ
Dynamically set environment variables based on fields found in the Pod spec.
Relevant information:
Type: object
Required: false
Example
env[].valueFrom.fieldRefΒΆ
Type: object
Required: true
Example
env[].valueFrom.fieldRef.fieldPathΒΆ
Field value from the Pod
spec that should be copied into the environment variable.
Type: enum
Required: true
Allowed values: (empty string), metadata.annotations
, metadata.labels
, metadata.name
, metadata.namespace
, spec.nodeName
, spec.serviceAccountName
, status.hostIP
, status.podIP
Example
envFromΒΆ
EnvFrom exposes all variables in the ConfigMap or Secret resources as environment variables.
One of configMap
or secret
is required.
Environment variables will take the form KEY=VALUE
, where key
is the ConfigMap or Secret key.
You can specify as many keys as you like in a single ConfigMap or Secret.
The ConfigMap and Secret resources must live in the same Kubernetes namespace as the Application resource.
Type: array
Required: false
Availability: team namespaces
envFrom[].configmapΒΆ
Name of the ConfigMap
where environment variables are specified.
Required unless secret
is set.
Type: string
Required: false
envFrom[].secretΒΆ
Name of the Secret
where environment variables are specified.
Required unless configMap
is set.
Type: string
Required: false
filesFromΒΆ
List of ConfigMap, Secret, or EmptyDir resources that will have their contents mounted into the containers.
Either configMap
, secret
, or emptyDir
is required.
Files will take the path <mountPath>/<key>
, where key
is the ConfigMap or Secret key.
You can specify as many keys as you like in a single ConfigMap or Secret, and they will all
be mounted to the same directory.
If you reference an emptyDir you will just get an empty directory, backed by your requested memory or the disk on the node where your pod is running.
The ConfigMap and Secret resources must live in the same Kubernetes namespace as the Application resource.
Type: array
Required: false
Availability: team namespaces
Example
filesFrom[].configmapΒΆ
Name of the ConfigMap
that contains files that should be mounted into the container.
Required unless secret
or persistentVolumeClaim
is set.
Type: string
Required: false
Example
filesFrom[].emptyDirΒΆ
Specification of an empty directory
Type: object
Required: false
Example
filesFrom[].emptyDir.mediumΒΆ
Type: enum
Required: false
Allowed values: Disk
, Memory
Example
filesFrom[].mountPathΒΆ
Filesystem path inside the pod where files are mounted. The directory will be created if it does not exist. If the directory exists, any files in the directory will be made unaccessible.
Defaults to /var/run/configmaps/<NAME>
, /var/run/secrets
, or /var/run/pvc/<NAME>
, depending on which of them is specified.
For EmptyDir, MountPath must be set.
Type: string
Required: false
Example
filesFrom[].persistentVolumeClaimΒΆ
Name of the PersistentVolumeClaim
that should be mounted into the container.
Required unless configMap
or secret
is set.
This feature requires coordination with the NAIS team.
Type: string
Required: false
Example
filesFrom[].secretΒΆ
Name of the Secret
that contains files that should be mounted into the container.
Required unless configMap
or persistentVolumeClaim
is set.
If mounting multiple secrets, mountPath
MUST be set to avoid collisions.
Type: string
Required: false
Example
frontendΒΆ
Configuration options specifically for frontend applications.
Experimental feature
This feature has not undergone much testing, and is subject to API change, instability, or removal.
Type: object
Required: false
Availability: GCP
frontend.generatedConfigΒΆ
Type: object
Required: false
frontend.generatedConfig.mountPathΒΆ
If specified, a Javascript file with application specific frontend configuration variables will be generated and mounted into the pod file system at the specified path. You can import this file directly from your Javascript application.
Relevant information:
Type: string
Required: true
gcpΒΆ
Type: object
Required: false
Availability: GCP
Example
spec:
gcp:
bigQueryDatasets:
- cascadingDelete: true
description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset1
permission: READWRITE
- description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset2
permission: READ
buckets:
- cascadingDelete: true
lifecycleCondition:
age: 10
createdBefore: "2020-01-01"
numNewerVersions: 2
withState: ARCHIVED
name: my-cloud-storage-bucket
publicAccessPrevention: true
retentionPeriodDays: 30
uniformBucketLevelAccess: true
permissions:
- resource:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
name: myteam-dev-ab23
role: roles/cloudsql.client
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.bigQueryDatasetsΒΆ
Provision BigQuery datasets and give your application's pod mountable secrets for connecting to each dataset. Datasets are immutable and cannot be changed.
Relevant information:
Type: array
Required: false
Availability: GCP
Example
spec:
gcp:
bigQueryDatasets:
- cascadingDelete: true
description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset1
permission: READWRITE
- description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset2
permission: READ
gcp.bigQueryDatasets[].cascadingDeleteΒΆ
When set to true will delete the dataset, when the application resource is deleted.
NB: If no tables exist in the bigquery dataset, it will delete the dataset even if this value is set/defaulted to false
.
Default value is false
.
Type: boolean
Required: false
Immutable: true
Example
spec:
gcp:
bigQueryDatasets:
- cascadingDelete: true
description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset1
permission: READWRITE
- description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset2
permission: READ
gcp.bigQueryDatasets[].descriptionΒΆ
Human-readable description of what this BigQuery dataset contains, or is used for. Will be visible in the GCP Console.
Type: string
Required: false
Immutable: true
Example
spec:
gcp:
bigQueryDatasets:
- cascadingDelete: true
description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset1
permission: READWRITE
- description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset2
permission: READ
gcp.bigQueryDatasets[].nameΒΆ
Name of the BigQuery Dataset.
The canonical name of the dataset will be <TEAM_PROJECT_ID>:<NAME>
.
Type: string
Required: true
Immutable: true
Pattern: ^[a-z0-9][a-z0-9_]+$
Example
spec:
gcp:
bigQueryDatasets:
- cascadingDelete: true
description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset1
permission: READWRITE
- description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset2
permission: READ
gcp.bigQueryDatasets[].permissionΒΆ
Permission level given to application.
Type: enum
Required: true
Immutable: true
Allowed values: READ
, READWRITE
Example
spec:
gcp:
bigQueryDatasets:
- cascadingDelete: true
description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset1
permission: READWRITE
- description: Contains big data, supporting big queries, for use in big ideas.
name: my_bigquery_dataset2
permission: READ
gcp.bucketsΒΆ
Provision cloud storage buckets and connect them to your application.
Relevant information:
Type: array
Required: false
Availability: GCP
Example
gcp.buckets[].cascadingDeleteΒΆ
Allows deletion of bucket. Set to true if you want to delete the bucket.
Type: boolean
Required: false
Example
gcp.buckets[].lifecycleConditionΒΆ
Conditions for the bucket to use when selecting objects to delete in cleanup.
Relevant information:
Type: object
Required: false
Example
gcp.buckets[].lifecycleCondition.ageΒΆ
Condition is satisfied when the object reaches the specified age in days. These will be deleted.
Type: integer
Required: false
Example
gcp.buckets[].lifecycleCondition.createdBeforeΒΆ
Condition is satisfied when the object is created before midnight on the specified date. These will be deleted.
Type: string
Required: false
Example
gcp.buckets[].lifecycleCondition.numNewerVersionsΒΆ
Condition is satisfied when the object has the specified number of newer versions. The older versions will be deleted.
Type: integer
Required: false
Example
gcp.buckets[].lifecycleCondition.withStateΒΆ
Condition is satisfied when the object has the specified state.
Type: enum
Required: false
Allowed values: (empty string), ANY
, ARCHIVED
, LIVE
Example
gcp.buckets[].nameΒΆ
The name of the bucket
Type: string
Required: true
Example
gcp.buckets[].publicAccessPreventionΒΆ
Public access prevention allows you to prevent public access to your bucket.
Relevant information:
Type: boolean
Required: false
Default value: false
Example
gcp.buckets[].retentionPeriodDaysΒΆ
The number of days to hold objects in the bucket before it is allowed to delete them.
Type: integer
Required: false
Value range: 1
-36500
Example
gcp.buckets[].uniformBucketLevelAccessΒΆ
Allows you to uniformly control access to your Cloud Storage resources. When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains.
Uniform access control can not be reversed after 90 days! This is controlled by Google.
Relevant information:
Type: boolean
Required: false
Default value: false
Example
gcp.permissionsΒΆ
List of additional permissions that should be granted to your application for accessing external GCP resources that have not been provisioned through NAIS.
Type: array
Required: false
Availability: GCP
Example
gcp.permissions[].resourceΒΆ
IAM resource to bind the role to.
Type: object
Required: true
Example
gcp.permissions[].resource.apiVersionΒΆ
Kubernetes APIVersion.
Type: string
Required: true
Example
gcp.permissions[].resource.kindΒΆ
Kubernetes Kind.
Type: string
Required: true
Example
gcp.permissions[].resource.nameΒΆ
Kubernetes Name.
Type: string
Required: false
Example
gcp.permissions[].roleΒΆ
Name of the GCP role to bind the resource to.
Type: string
Required: true
Example
gcp.sqlInstancesΒΆ
Provision database instances and connect them to your application. Only one item allowed in the list.
Relevant information:
- https://doc.nais.io/persistence/postgres/
- https://cloud.google.com/sql/docs/postgres/instance-settings#impact
Type: array
Required: false
Availability: GCP
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].autoBackupHourΒΆ
If specified, run automatic backups of the SQL database at the given hour. Note that this will backup the whole SQL instance, and not separate databases. Restores are done using the Google Cloud Console.
Type: integer
Required: false
Value range: 0
-23
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].cascadingDeleteΒΆ
Remove the entire Postgres server including all data when the Kubernetes resource is deleted. THIS IS A DESTRUCTIVE OPERATION! Set cascading delete only when you want to remove data forever.
Type: boolean
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].collationΒΆ
Sort order for ORDER BY ...
clauses.
Type: string
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].databasesΒΆ
List of one database or less(!) that should be created on this Postgres server. If not present, a default database with the same name as the application will be created.
Type: array
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].databases[].envVarPrefixΒΆ
Prefix to add to environment variables made available for database connection.
If switching to EnvVarPrefix
you need to reset database credentials.
Type: string
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].databases[].nameΒΆ
Database name. Be aware that only one database with this name is allowed in a namespace, regardless of which SQLInstance it belongs to
Type: string
Required: true
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].databases[].usersΒΆ
Add extra users for database access. These users need to be manually given access to database tables.
Type: array
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].databases[].users[].nameΒΆ
User name.
Type: string
Required: true
Pattern: ^[_a-zA-Z][-_a-zA-Z0-9]+$
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].diskAutoresizeΒΆ
When set to true, GCP will automatically increase storage by XXX for the database when
disk usage is above the high water mark. Setting this field to true also disables
manual control over disk size, i.e. the diskSize
parameter will be ignored.
Relevant information:
Type: boolean
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].diskAutoresizeLimitΒΆ
The maximum size, in GB, to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit.
Type: integer
Required: false
Default value: 0
Value range: 0
-1000
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].diskSizeΒΆ
How much hard drive space to allocate for the SQL server, in gigabytes. This parameter is used when first provisioning a server. Disk size can be changed using this field only when diskAutoresize is set to false.
Type: integer
Required: false
Minimum value: 10
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].diskTypeΒΆ
Disk type to use for storage in the database.
Type: enum
Required: false
Allowed values: HDD
, SSD
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].flagsΒΆ
Set flags to control the behavior of the instance. Be aware that NAIS does not validate these flags, so take extra care to make sure the values match against the specification, otherwise your deployment will seemingly work OK, but the database flags will not function as expected.
Experimental feature
This feature has not undergone much testing, and is subject to API change, instability, or removal.
Relevant information:
Type: array
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].flags[].nameΒΆ
Name of the flag.
Type: string
Required: true
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].flags[].valueΒΆ
Value of the flag.
Type: string
Required: true
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].highAvailabilityΒΆ
When set to true this will set up standby database for failover.
Type: boolean
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].insightsΒΆ
Configures query insights which are now default for new sql instances.
Type: object
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].insights.enabledΒΆ
True if Query Insights feature is enabled.
Type: boolean
Required: false
Default value: true
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].insights.queryStringLengthΒΆ
Maximum query length stored in bytes. Between 256 and 4500. Default to 1024.
Type: integer
Required: false
Value range: 256
-4500
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].insights.recordApplicationTagsΒΆ
True if Query Insights will record application tags from query when enabled.
Type: boolean
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].insights.recordClientAddressΒΆ
True if Query Insights will record client address when enabled.
Type: boolean
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].maintenanceΒΆ
Desired maintenance window for database updates.
Type: object
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].maintenance.dayΒΆ
Type: integer
Required: false
Value range: 1
-7
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].maintenance.hourΒΆ
Type: integer
Required: false
Value range: 0
-23
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].nameΒΆ
The name of the instance, if omitted the application name will be used.
Type: string
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].pointInTimeRecoveryΒΆ
Enables point-in-time recovery for sql instances using write-ahead logs.
Type: boolean
Required: false
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].retainedBackupsΒΆ
Number of daily backups to retain. Defaults to 7 backups. The number of retained backups must be greater or equal to TransactionLogRetentionDays.
Relevant information:
Type: integer
Required: false
Default value: 7
Value range: 1
-365
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].tierΒΆ
Server tier, i.e. how much CPU and memory allocated.
Available tiers are db-f1-micro
, db-g1-small
and custom db-custom-CPU-RAM
.
Custom instances must specify memory as a multiple of 256 MB and at least 3.75 GB (e.g. db-custom-1-3840
for 1 cpu, 3840 MB ram).
The smallest possible instance is db-f1-micro
, which is recommended only for development instances.
For production workloads, please specify at least db-custom-1-3840
.
Type: string
Required: true
Pattern: db-.+
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].transactionLogRetentionDaysΒΆ
The number of days of transaction logs gcp retains for point in time restores.
Relevant information:
Type: integer
Required: false
Default value: 7
Value range: 1
-7
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
gcp.sqlInstances[].typeΒΆ
PostgreSQL version.
Relevant information:
Type: enum
Required: true
Allowed values: POSTGRES_11
, POSTGRES_12
, POSTGRES_13
, POSTGRES_14
, POSTGRES_15
, POSTGRES_16
Example
spec:
gcp:
sqlInstances:
- autoBackupHour: 1
cascadingDelete: true
collation: nb_NO.UTF8
databases:
- envVarPrefix: DB
name: mydatabase
users:
- name: extra_user
diskAutoresize: true
diskAutoresizeLimit: 60
diskSize: 30
diskType: SSD
flags:
- name: max_connections
value: "50"
highAvailability: true
insights:
enabled: true
queryStringLength: 4500
recordApplicationTags: true
recordClientAddress: true
maintenance:
day: 1
hour: 4
name: myinstance
pointInTimeRecovery: true
retainedBackups: 14
tier: db-f1-micro
transactionLogRetentionDays: 3
type: POSTGRES_12
idportenΒΆ
Configures ID-porten authentication for this application. See ID-porten for more details.
Type: object
Required: false
Example
idporten.enabledΒΆ
Enable ID-porten authentication. Requires .spec.idporten.sidecar.enabled=true
.
Relevant information:
Type: boolean
Required: true
Availability: GCP
idporten.sidecarΒΆ
Sidecar configures a sidecar that intercepts every HTTP request, and performs the OIDC flow if necessary.
All requests to ingress + /oauth2
will be processed only by the sidecar, whereas all other requests
will be proxied to the application.
If the user is authenticated with ID-porten, the Authorization
header will be set to Bearer <JWT>
.
Relevant information:
Type: object
Required: false
Availability: GCP
Example
idporten.sidecar.autoLoginΒΆ
Automatically redirect the user to login for all proxied GET requests.
Relevant information:
Type: boolean
Required: false
Default value: false
idporten.sidecar.autoLoginIgnorePathsΒΆ
Absolute paths to ignore when auto-login is enabled.
Relevant information:
Type: array
Required: false
idporten.sidecar.enabledΒΆ
Enable the sidecar.
Type: boolean
Required: true
idporten.sidecar.levelΒΆ
Default security level for all authentication requests.
Relevant information:
Type: enum
Required: false
Default value: idporten-loa-high
Allowed values: Level3
, Level4
, idporten-loa-high
, idporten-loa-substantial
idporten.sidecar.localeΒΆ
Default user interface locale for all authentication requests.
Relevant information:
Type: enum
Required: false
Default value: nb
Allowed values: en
, nb
, nn
, se
idporten.sidecar.resourcesΒΆ
Resource requirements for the sidecar container.
Type: object
Required: false
Example
idporten.sidecar.resources.limitsΒΆ
Limit defines the maximum amount of resources a container can use before getting evicted.
Type: object
Required: false
idporten.sidecar.resources.limits.cpuΒΆ
Type: string
Required: false
Pattern: ^\d+m?$
idporten.sidecar.resources.limits.memoryΒΆ
Type: string
Required: false
Pattern: ^\d+[KMG]i$
idporten.sidecar.resources.requestsΒΆ
Request defines the amount of resources a container is allocated on startup.
Type: object
Required: false
idporten.sidecar.resources.requests.cpuΒΆ
Type: string
Required: false
Pattern: ^\d+m?$
idporten.sidecar.resources.requests.memoryΒΆ
Type: string
Required: false
Pattern: ^\d+[KMG]i$
imageΒΆ
Your application's Docker image location and tag.
Type: string
Required: true
influxΒΆ
An InfluxDB via Aiven. A typical use case for influxdb is to store metrics from your application and visualize them in Grafana.
Type: object
Required: false
Availability: GCP
influx.instanceΒΆ
Provisions an InfluxDB instance and configures your application to access it.
Use the prefix: influx-
+ team
that you specified in the navikt/aiven-iac repository.
Type: string
Required: true
ingressesΒΆ
List of URLs that will route HTTPS traffic to the application.
All URLs must start with https://
. Domain availability differs according to which environment your application is running in.
Check the available environments in the reference documentation.
Type: array
Required: false
kafkaΒΆ
Set up Aiven Kafka for your application.
Relevant information:
Type: object
Required: false
kafka.poolΒΆ
Configures your application to access an Aiven Kafka cluster.
Type: string
Required: true
kafka.streamsΒΆ
Allow this app to use kafka streams
Relevant information:
Type: boolean
Required: false
Default value: false
Availability: GCP
leaderElectionΒΆ
If true, an HTTP endpoint will be available at $ELECTOR_GET_URL
that returns the current leader.
Relevant information:
Type: boolean
Required: false
livenessΒΆ
Many applications running for long periods of time eventually transition to broken states, and cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy such situations. Read more about this over at the Kubernetes probes documentation.
Type: object
Required: false
Example
liveness.failureThresholdΒΆ
When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.
Type: integer
Required: false
Default value: 3
liveness.initialDelayΒΆ
Number of seconds after the container has started before startup probes are initiated.
Type: integer
Required: false
liveness.pathΒΆ
HTTP endpoint path that signals 200 OK if the application has started successfully.
Type: string
Required: true
liveness.periodSecondsΒΆ
How often (in seconds) to perform the probe.
Type: integer
Required: false
Default value: 10
liveness.portΒΆ
Port for the startup probe.
Type: integer
Required: false
liveness.timeoutΒΆ
Number of seconds after which the probe times out.
Type: integer
Required: false
Default value: 1
logformatΒΆ
Format of the logs from the container. Use this if the container doesn't support JSON logging and the log is in a special format that need to be parsed.
Type: enum
Required: false
Allowed values: (empty string), accesslog
, accesslog_with_processing_time
, accesslog_with_referer_useragent
, capnslog
, glog
, gokit
, influxdb
, log15
, logrus
, redis
, simple
loginΒΆ
Login configures a login proxy that sits in front of the application.
Relevant information:
Type: object
Required: false
Availability: Tenant: SSB
login.enforceΒΆ
Enforce login for all requests to the application.
Type: object
Required: false
login.enforce.enabledΒΆ
If enabled, all unauthenticated requests to the application will be redirected to the login provider.
Type: boolean
Required: true
login.enforce.excludePathsΒΆ
Absolute paths to ignore when enforcing login.
Type: array
Required: false
login.providerΒΆ
Provider configures the authentication provider for the application.
Type: enum
Required: true
Allowed values: openid
logtransformΒΆ
Extra filters for modifying log content. This can e.g. be used for setting loglevel based on http status code.
Type: enum
Required: false
Allowed values: dns_loglevel
, http_loglevel
maskinportenΒΆ
Configures a Maskinporten client for this application. See Maskinporten for more details.
Type: object
Required: false
Example
maskinporten.enabledΒΆ
If enabled, provisions and configures a Maskinporten client with consumed scopes and/or Exposed scopes with DigDir.
Type: boolean
Required: true
Default value: false
Availability: team namespaces
maskinporten.scopesΒΆ
Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.
Type: object
Required: false
Example
maskinporten.scopes.consumesΒΆ
This is the Schema for the consumes and exposes API.
consumes
is a list of scopes that your client can request access to.
Type: array
Required: false
maskinporten.scopes.consumes[].nameΒΆ
The scope consumed by the application to gain access to an external organization API. Ensure that the NAV organization has been granted access to the scope prior to requesting access.
Relevant information:
Type: string
Required: true
maskinporten.scopes.exposesΒΆ
exposes
is a list of scopes your application want to expose to other organization where access to the scope is based on organization number.
Type: array
Required: false
Example
maskinporten.scopes.exposes[].accessibleForAllΒΆ
Allow any organization to access the scope.
Type: boolean
Required: false
Default value: false
Example
maskinporten.scopes.exposes[].allowedIntegrationsΒΆ
Whitelisting of integration's allowed.
Default is maskinporten
Relevant information:
Type: array
Required: false
Default value: maskinporten
Example
maskinporten.scopes.exposes[].atMaxAgeΒΆ
Max time in seconds for a issued access_token.
Default is 30
sec.
Type: integer
Required: false
Default value: 30
Value range: 30
-680
Example
maskinporten.scopes.exposes[].consumersΒΆ
External consumers granted access to this scope and able to request access_token.
Type: array
Required: false
Example
maskinporten.scopes.exposes[].consumers[].nameΒΆ
This is a describing field intended for clarity not used for any other purpose.
Type: string
Required: false
Example
maskinporten.scopes.exposes[].consumers[].orgnoΒΆ
The external business/organization number.
Type: string
Required: true
Pattern: ^\d{9}$
Example
maskinporten.scopes.exposes[].delegationSourceΒΆ
Delegation source for the scope. Default is empty, which means no delegation is allowed.
Relevant information:
Type: enum
Required: false
Allowed values: altinn
Example
maskinporten.scopes.exposes[].enabledΒΆ
If Enabled the configured scope is available to be used and consumed by organizations granted access.
Type: boolean
Required: true
Example
maskinporten.scopes.exposes[].nameΒΆ
The actual subscope combined with Product
.
Ensure that <Product><Name>
matches Pattern
.
Type: string
Required: true
Default value: false
Pattern: ^([a-zæøΓ₯0-9]+\/?)+(\:[a-zæøΓ₯0-9]+)*[a-zæøΓ₯0-9]+(\.[a-zæøΓ₯0-9]+)*$
Example
maskinporten.scopes.exposes[].productΒΆ
The product-area your application belongs to e.g. arbeid, helse ...
This will be included in the final scope nav:<Product><Name>
.
Type: string
Required: true
Pattern: ^[a-z0-9]+$
Example
maskinporten.scopes.exposes[].separatorΒΆ
Separator is the character that separates product
and name
in the final scope:
scope := <prefix>:<product><separator><name>
This overrides the default separator.
The default separator is :
. If name
contains /
, the default separator is instead /
.
Type: string
Required: false
Pattern: ^[\/:]$
Example
observabilityΒΆ
Configuration options related to application observability.
Relevant information:
Type: object
Required: false
Example
observability.autoInstrumentationΒΆ
Auto-instrumentiation for your application using OpenTelemetry for collecting telemetry data such as traces, metrics and logs.
Relevant information:
Type: object
Required: false
Example
observability.autoInstrumentation.destinationsΒΆ
Destinations are where telemetry data should be stored.
Relevant information:
Type: array
Required: false
observability.autoInstrumentation.destinations[].idΒΆ
Destination ID.
Type: string
Required: true
observability.autoInstrumentation.enabledΒΆ
Enable automatic instrumentation of your application using OpenTelemetry Agent.
Type: boolean
Required: false
observability.autoInstrumentation.runtimeΒΆ
Application runtime. Supported runtimes are java
, nodejs
, python
, sdk
.
Type: enum
Required: false
Allowed values: java
, nodejs
, python
, sdk
observability.loggingΒΆ
Configure logging for your application.
Relevant information:
Type: object
Required: false
observability.logging.destinationsΒΆ
Log destinations for where to forward application logs for persistent storage. Leave empty to use default destinations.
Relevant information:
Type: array
Required: false
observability.logging.destinations[].idΒΆ
Type: string
Required: true
observability.logging.enabledΒΆ
Enable forwarding of application logs to persistent storage.
Type: boolean
Required: false
Default value: true
openSearchΒΆ
OpenSearch instance to get credentials for. Must be owned by same team.
Relevant information:
Type: object
Required: false
openSearch.accessΒΆ
Access level for OpenSearch user
Type: enum
Required: false
Allowed values: admin
, read
, readwrite
, write
openSearch.instanceΒΆ
Configure your application to access your OpenSearch instance. The last part of the name used when creating the instance (ie. opensearch-{team}-{instance})
Type: string
Required: true
portΒΆ
The port number which is exposed by the container and should receive traffic. Note that ports under 1024 are unavailable.
Type: integer
Required: false
Default value: 8080
preStopHookΒΆ
PreStopHook is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits by itself. The reason for termination is passed to the handler.
Relevant information:
- https://doc.nais.io/workloads/explanations/good-practices/#handles-termination-gracefully
- https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
Type: object
Required: false
Example
preStopHook.execΒΆ
Command that should be run inside the main container just before the pod is shut down by Kubernetes.
Type: object
Required: false
preStopHook.exec.commandΒΆ
Command is the command line to execute inside the container before the pod is shut down. The command is not run inside a shell, so traditional shell instructions (pipes, redirects, etc.) won't work. To use a shell, you need to explicitly call out to that shell.
If the exit status is non-zero, the pod will still be shut down, and marked as Failed
.
Type: array
Required: false
preStopHook.httpΒΆ
HTTP GET request that is called just before the pod is shut down by Kubernetes.
Type: object
Required: false
preStopHook.http.pathΒΆ
Path to access on the HTTP server.
Type: string
Required: true
preStopHook.http.portΒΆ
Port to access on the container.
Defaults to application port, as defined in .spec.port
.
Type: integer
Required: false
Value range: 1
-65535
preStopHookPathΒΆ
An HTTP GET will be issued to this endpoint at least once before the pod is terminated. This feature is deprecated and will be removed in the next major version (nais.io/v1).
Relevant information:
Type: string
Required: false
prometheusΒΆ
Prometheus is used to scrape metrics from the pod. Use this configuration to override the default values.
Type: object
Required: false
prometheus.enabledΒΆ
Type: boolean
Required: false
prometheus.pathΒΆ
Type: string
Required: false
Default value: /metrics
prometheus.portΒΆ
Type: string
Required: false
readinessΒΆ
Sometimes, applications are temporarily unable to serve traffic. For example, an application might need to load large data or configuration files during startup, or depend on external services after startup. In such cases, you don't want to kill the application, but you donβt want to send it requests either. Kubernetes provides readiness probes to detect and mitigate these situations. A pod with containers reporting that they are not ready does not receive traffic through Kubernetes Services. Read more about this over at the Kubernetes readiness documentation.
Type: object
Required: false
Example
readiness.failureThresholdΒΆ
When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.
Type: integer
Required: false
readiness.initialDelayΒΆ
Number of seconds after the container has started before startup probes are initiated.
Type: integer
Required: false
readiness.pathΒΆ
HTTP endpoint path that signals 200 OK if the application has started successfully.
Type: string
Required: true
readiness.periodSecondsΒΆ
How often (in seconds) to perform the probe.
Type: integer
Required: false
readiness.portΒΆ
Port for the startup probe.
Type: integer
Required: false
readiness.timeoutΒΆ
Number of seconds after which the probe times out.
Type: integer
Required: false
redirectsΒΆ
List of ingress redirects
Type: array
Required: false
redirects[].fromΒΆ
Type: string
Required: true
Pattern: ^https:\/\/.+$
redirects[].toΒΆ
Type: string
Required: true
Pattern: ^https:\/\/.+$
redisΒΆ
List of redis instances this job needs credentials for. Must be owned by same team.
Relevant information:
Type: array
Required: false
redis[].accessΒΆ
Access level for redis user
Type: enum
Required: false
Allowed values: admin
, read
, readwrite
, write
redis[].instanceΒΆ
The last part of the name used when creating the instance (ie. redis-{team}-{instance})
Type: string
Required: false
replicasΒΆ
The numbers of pods to run in parallel.
Type: object
Required: false
Example
replicas.cpuThresholdPercentageΒΆ
Deprecated: Use spec.scalingStrategy.cpu.thresholdPercentage
instead.
Amount of CPU usage before the autoscaler kicks in.
If anything under ScalingStrategy is set, that takes precedence.
Deprecated
This feature is deprecated, preserved only for backwards compatibility.
Type: integer
Required: false
replicas.disableAutoScalingΒΆ
Disable autoscaling
Type: boolean
Required: false
Default value: false
replicas.maxΒΆ
The pod autoscaler will increase replicas when required up to the maximum.
Type: integer
Required: false
Default value: 4
replicas.minΒΆ
The minimum amount of running replicas for a deployment.
Type: integer
Required: false
Default value: 2
replicas.scalingStrategyΒΆ
ScalingStrategy configures how automatic scaling is performed.
Type: object
Required: false
Example
replicas.scalingStrategy.cpuΒΆ
Configures HPA based on CPU usage.
Type: object
Required: false
replicas.scalingStrategy.cpu.thresholdPercentageΒΆ
Amount of CPU usage before the autoscaler kicks in.
Type: integer
Required: false
replicas.scalingStrategy.kafkaΒΆ
Configures HPA based on Kafka lag.
Type: object
Required: false
Example
replicas.scalingStrategy.kafka.consumerGroupΒΆ
ConsumerGroup your application uses when consuming
Type: string
Required: true
replicas.scalingStrategy.kafka.thresholdΒΆ
Threshold is the amount of lag allowed before the application should scale up
Type: integer
Required: true
replicas.scalingStrategy.kafka.topicΒΆ
Topic your application is consuming
Type: string
Required: true
resourcesΒΆ
When Containers have resource requests specified, the Kubernetes scheduler can make better decisions about which nodes to place pods on.
Relevant information:
Type: object
Required: false
resources.limitsΒΆ
Limit defines the maximum amount of resources a container can use before getting evicted.
Type: object
Required: false
resources.limits.cpuΒΆ
Type: string
Required: false
Pattern: ^\d+m?$
resources.limits.memoryΒΆ
Type: string
Required: false
Default value: 512Mi
Pattern: ^\d+[KMG]i$
resources.requestsΒΆ
Request defines the amount of resources a container is allocated on startup.
Type: object
Required: false
resources.requests.cpuΒΆ
Type: string
Required: false
Default value: 200m
Pattern: ^\d+m?$
resources.requests.memoryΒΆ
Type: string
Required: false
Default value: 256Mi
Pattern: ^\d+[KMG]i$
secureLogsΒΆ
Whether to enable a sidecar container for secure logging.
Type: object
Required: false
secureLogs.enabledΒΆ
Whether to enable a sidecar container for secure logging. If enabled, a volume is mounted in the pods where secure logs can be saved.
Type: boolean
Required: true
Default value: false
serviceΒΆ
Specify which port and protocol is used to connect to the application in the container. Defaults to HTTP on port 80.
Type: object
Required: false
service.portΒΆ
Port for the default service. Default port is 80.
Type: integer
Required: true
Default value: 80
service.protocolΒΆ
Which protocol the backend service runs on. Default is http
.
Type: enum
Required: false
Default value: http
Allowed values: grpc
, http
, redis
, tcp
skipCaBundleΒΆ
Whether to skip injection of NAV certificate authority bundle or not. Defaults to false.
Type: boolean
Required: false
startupΒΆ
Kubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running.
Type: object
Required: false
Example
startup.failureThresholdΒΆ
When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.
Type: integer
Required: false
startup.initialDelayΒΆ
Number of seconds after the container has started before startup probes are initiated.
Type: integer
Required: false
startup.pathΒΆ
HTTP endpoint path that signals 200 OK if the application has started successfully.
Type: string
Required: true
startup.periodSecondsΒΆ
How often (in seconds) to perform the probe.
Type: integer
Required: false
startup.portΒΆ
Port for the startup probe.
Type: integer
Required: false
startup.timeoutΒΆ
Number of seconds after which the probe times out.
Type: integer
Required: false
strategyΒΆ
Specifies the strategy used to replace old Pods by new ones.
Type: object
Required: false
strategy.rollingUpdateΒΆ
Spec to control the desired behavior of rolling update.
Type: object
Required: false
strategy.rollingUpdate.maxSurgeΒΆ
The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.
Type: integer
or string
Required: false
strategy.rollingUpdate.maxUnavailableΒΆ
The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.
Type: integer
or string
Required: false
strategy.typeΒΆ
Specifies the strategy used to replace old Pods by new ones.
RollingUpdate
is the default value.
Type: enum
Required: false
Default value: RollingUpdate
Allowed values: Recreate
, RollingUpdate
terminationGracePeriodSecondsΒΆ
The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. For most applications, the default is more than enough. Defaults to 30 seconds.
Type: integer
Required: false
Value range: 0
-180
tokenxΒΆ
Provisions and configures a TokenX client for your application.
Relevant information:
Type: object
Required: false
tokenx.enabledΒΆ
If enabled, will provision and configure a TokenX client and inject an accompanying secret.
Type: boolean
Required: true
Default value: false
tokenx.mountSecretsAsFilesOnlyΒΆ
If enabled, secrets for TokenX will be mounted as files only, i.e. not as environment variables.
Type: boolean
Required: false
ttlΒΆ
After the specified TTL, the application will be deleted.
Type: string
Required: false
vaultΒΆ
Provides secrets management, identity-based access, and encrypting application data for auditing of secrets for applications, systems, and users.
Relevant information:
Type: object
Required: false
Availability: on-premises
Example
vault.enabledΒΆ
If set to true, fetch secrets from Vault and inject into the pods.
Type: boolean
Required: false
vault.pathsΒΆ
List of secret paths to be read from Vault and injected into the pod's filesystem.
Overriding the paths
array is optional, and will give you fine-grained control over which Vault paths that will be mounted on the file system.
By default, the list will contain an entry with
kvPath: /kv/<environment>/<zone>/<application>/<namespace>
mountPath: /var/run/secrets/nais.io/vault
that will always be attempted to be mounted.
Type: array
Required: false
Example
vault.paths[].formatΒΆ
Format of the secret that should be processed.
Type: enum
Required: false
Allowed values: (empty string), env
, flatten
, json
, properties
, yaml
Example
vault.paths[].kvPathΒΆ
Path to Vault key/value store that should be mounted into the file system.
Type: string
Required: true
Example
vault.paths[].mountPathΒΆ
File system path that the secret will be mounted into.
Type: string
Required: true
Example
webproxyΒΆ
Inject on-premises web proxy configuration into the application pod.
Most Linux applications should auto-detect these settings from the $HTTP_PROXY
, $HTTPS_PROXY
and $NO_PROXY
environment variables (and their lowercase counterparts).
Java applications can start the JVM using parameters from the $JAVA_PROXY_OPTIONS
environment variable.
Type: boolean
Required: false
Availability: on-premises