Skip to content

NAIS Job referenceΒΆ

This document describes all possible configuration values in the Naisjob spec.

accessPolicyΒΆ

By default, no traffic is allowed between naisjobs inside the cluster. Configure access policies to explicitly allow communication between naisjobs. This is also used for granting inbound access in the context of Azure AD and TokenX clients.

Relevant information:

Type: object
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope
    outbound:
      external:
        - host: external-application.example.com
        - host: non-http-service.example.com
          ports:
            - port: 9200
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3

accessPolicy.inboundΒΆ

Configures inbound access for your application.

Type: object
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope

accessPolicy.inbound.rulesΒΆ

List of NAIS applications that may access your application. These settings apply both to Zero Trust network connectivity and token validity for Azure AD and TokenX tokens.

Type: array
Required: true

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope
accessPolicy.inbound.rules[].applicationΒΆ

The application's name.

Type: string
Required: true

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope
accessPolicy.inbound.rules[].clusterΒΆ

The application's cluster. May be omitted if it should be in the same cluster as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope
accessPolicy.inbound.rules[].namespaceΒΆ

The application's namespace. May be omitted if it should be in the same namespace as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope
accessPolicy.inbound.rules[].permissionsΒΆ

Permissions contains a set of permissions that are granted to the given application. Currently only applicable for Azure AD clients.

Relevant information:

Type: object
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope
accessPolicy.inbound.rules[].permissions.rolesΒΆ

Roles is a set of custom permission roles that are granted to a given application.

Relevant information:

Type: array
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope
accessPolicy.inbound.rules[].permissions.scopesΒΆ

Scopes is a set of custom permission scopes that are granted to a given application.

Relevant information:

Type: array
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
        - application: app4
          permissions:
            scopes:
              - custom-scope
        - application: app5
          permissions:
            roles:
              - custom-role
        - application: app6
          permissions:
            roles:
              - custom-role
            scopes:
              - custom-scope

accessPolicy.outboundΒΆ

Configures outbound access for your application.

Type: object
Required: false

Example
spec:
  accessPolicy:
    outbound:
      external:
        - host: external-application.example.com
        - host: non-http-service.example.com
          ports:
            - port: 9200
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3

accessPolicy.outbound.externalΒΆ

List of external resources that your applications should be able to reach.

Type: array
Required: false
Availability: GCP

Example
spec:
  accessPolicy:
    outbound:
      external:
        - host: external-application.example.com
        - host: non-http-service.example.com
          ports:
            - port: 9200
accessPolicy.outbound.external[].hostΒΆ

The host that your application should be able to reach, i.e. without the protocol (e.g. https://). "Host" and "IPv4" are mutually exclusive

Type: string
Required: false
Pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$

Example
spec:
  accessPolicy:
    outbound:
      external:
        - host: external-application.example.com
        - host: non-http-service.example.com
          ports:
            - port: 9200
accessPolicy.outbound.external[].ipv4ΒΆ

The IPv4 address that your application should be able to reach. "IPv4" and "Host" are mutually exclusive

Type: string
Required: false
Pattern: ^(([0-9])|([1-9][0-9])|(1([0-9]{2}))|(2[0-4][0-9])|(25[0-5]))((\.(([0-9])|([1-9][0-9])|(1([0-9]{2}))|(2[0-4][0-9])|(25[0-5]))){3})$

Example
spec:
  accessPolicy:
    outbound:
      external:
        - host: external-application.example.com
        - host: non-http-service.example.com
          ports:
            - port: 9200
accessPolicy.outbound.external[].portsΒΆ

List of port rules for external communication. Must be specified if using protocols other than HTTPS.

Type: array
Required: false

Example
spec:
  accessPolicy:
    outbound:
      external:
        - host: external-application.example.com
        - host: non-http-service.example.com
          ports:
            - port: 9200
accessPolicy.outbound.external[].ports[].portΒΆ

The port used for communication.

Type: integer
Required: true

Example
spec:
  accessPolicy:
    outbound:
      external:
        - host: external-application.example.com
        - host: non-http-service.example.com
          ports:
            - port: 9200

accessPolicy.outbound.rulesΒΆ

List of NAIS applications that your application needs to access. These settings apply to Zero Trust network connectivity.

Type: array
Required: false

Example
spec:
  accessPolicy:
    outbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
accessPolicy.outbound.rules[].applicationΒΆ

The application's name.

Type: string
Required: true

Example
spec:
  accessPolicy:
    outbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
accessPolicy.outbound.rules[].clusterΒΆ

The application's cluster. May be omitted if it should be in the same cluster as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    outbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3
accessPolicy.outbound.rules[].namespaceΒΆ

The application's namespace. May be omitted if it should be in the same namespace as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    outbound:
      rules:
        - application: app1
        - application: app2
          namespace: q1
        - application: app3
          cluster: dev-gcp
          namespace: q2
        - application: '*'
          namespace: q3

activeDeadlineSecondsΒΆ

Once a Naisjob reaches activeDeadlineSeconds, all of its running Pods are terminated and the Naisjob status will become type: Failed with reason: DeadlineExceeded. If set, this takes presedence over BackoffLimit.

Type: integer
Required: false

Example
spec:
  activeDeadlineSeconds: 60

azureΒΆ

Provisions and configures Azure resources.

Type: object
Required: false

Example
spec:
  azure:
    application:
      allowAllUsers: true
      claims:
        groups:
          - id: 00000000-0000-0000-0000-000000000000
      enabled: true

azure.applicationΒΆ

Configures an Entra ID client for this application.

Relevant information:

Type: object
Required: true

Example
spec:
  azure:
    application:
      allowAllUsers: true
      claims:
        groups:
          - id: 00000000-0000-0000-0000-000000000000
      enabled: true

azure.application.allowAllUsersΒΆ

AllowAllUsers grants all users within the tenant access to this application.

Relevant information:

Type: boolean
Required: false
Default value: false

Example
spec:
  azure:
    application:
      allowAllUsers: true

azure.application.claimsΒΆ

Claims defines additional configuration of the emitted claims in tokens returned to the Azure AD application.

Type: object
Required: false

Example
spec:
  azure:
    application:
      claims:
        groups:
          - id: 00000000-0000-0000-0000-000000000000
azure.application.claims.groupsΒΆ

Groups is a list of Azure AD group IDs to be emitted in the groups claim in tokens issued by Azure AD. This also assigns groups to the application for access control. Only direct members of the groups are granted access.

Relevant information:

Type: array
Required: false

Example
spec:
  azure:
    application:
      claims:
        groups:
          - id: 00000000-0000-0000-0000-000000000000
azure.application.claims.groups[].idΒΆ

ID is the actual object ID associated with the given group in Azure AD.

Type: string
Required: false

Example
spec:
  azure:
    application:
      claims:
        groups:
          - id: 00000000-0000-0000-0000-000000000000

azure.application.enabledΒΆ

If enabled, provisions an Entra ID application.

Type: boolean
Required: true
Default value: false

Example
spec:
  azure:
    application:
      enabled: true

azure.application.tenantΒΆ

Tenant targets a specific tenant for the Entra ID application. Only works in the development clusters. Only use this if you have a specific reason to do so. Using this will isolate your application from all other applications that are not using the same tenant.

Relevant information:

Type: enum
Required: false
Allowed values: nav.no, trygdeetaten.no

backoffLimitΒΆ

Specify the number of retries before considering a Naisjob as failed

Type: integer
Required: false
Default value: 6

Example
spec:
  backoffLimit: 5

commandΒΆ

Override command when starting Docker image.

Type: array
Required: false

Example
spec:
  command:
    - /app/myapplication
    - --param
    - value
    - --other-param
    - other-value

completionsΒΆ

A Job tracks the successful completions. When a specified number of successful completions is reached, the task (ie, Job) is complete.

Relevant information:

Type: integer
Required: false
Default value: 1

Example
spec:
  completions: 1

concurrencyPolicyΒΆ

Specifies how to treat concurrent executions of a job that is created by this Naisjob-cron.

Relevant information:

Type: enum
Required: false
Default value: Allow
Allowed values: Allow, Forbid, Replace

Example
spec:
  concurrencyPolicy: Allow

envΒΆ

Custom environment variables injected into your container. Specify either value or valueFrom, but not both.

Type: array
Required: false

Example
spec:
  env:
    - name: MY_CUSTOM_VAR
      value: some_value
    - name: MY_APPLICATION_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name

env[].nameΒΆ

Environment variable name. May only contain letters, digits, and the underscore _ character.

Type: string
Required: true

Example
spec:
  env:
    - name: MY_CUSTOM_VAR
      value: some_value
    - name: MY_APPLICATION_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name

env[].valueΒΆ

Environment variable value. Numbers and boolean values must be quoted. Required unless valueFrom is specified.

Type: string
Required: false

Example
spec:
  env:
    - name: MY_CUSTOM_VAR
      value: some_value
    - name: MY_APPLICATION_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name

env[].valueFromΒΆ

Dynamically set environment variables based on fields found in the Pod spec.

Relevant information:

Type: object
Required: false

Example
spec:
  env:
    - name: MY_CUSTOM_VAR
      value: some_value
    - name: MY_APPLICATION_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name

env[].valueFrom.fieldRefΒΆ

Type: object
Required: true

Example
spec:
  env:
    - name: MY_CUSTOM_VAR
      value: some_value
    - name: MY_APPLICATION_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
env[].valueFrom.fieldRef.fieldPathΒΆ

Field value from the Pod spec that should be copied into the environment variable.

Type: enum
Required: true
Allowed values: (empty string), metadata.annotations, metadata.labels, metadata.name, metadata.namespace, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP

Example
spec:
  env:
    - name: MY_CUSTOM_VAR
      value: some_value
    - name: MY_APPLICATION_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name

envFromΒΆ

EnvFrom exposes all variables in the ConfigMap or Secret resources as environment variables. One of configMap or secret is required.

Environment variables will take the form KEY=VALUE, where key is the ConfigMap or Secret key. You can specify as many keys as you like in a single ConfigMap or Secret.

The ConfigMap and Secret resources must live in the same Kubernetes namespace as the Naisjob resource.

Type: array
Required: false
Availability: team namespaces

Example
spec:
  envFrom:
    - secret: my-secret-with-envs
    - configmap: my-configmap-with-envs

envFrom[].configmapΒΆ

Name of the ConfigMap where environment variables are specified. Required unless secret is set.

Type: string
Required: false

Example
spec:
  envFrom:
    - secret: my-secret-with-envs
    - configmap: my-configmap-with-envs

envFrom[].secretΒΆ

Name of the Secret where environment variables are specified. Required unless configMap is set.

Type: string
Required: false

Example
spec:
  envFrom:
    - secret: my-secret-with-envs
    - configmap: my-configmap-with-envs

failedJobsHistoryLimitΒΆ

Specify how many failed Jobs should be kept.

Type: integer
Required: false
Default value: 1

Example
spec:
  failedJobsHistoryLimit: 2

filesFromΒΆ

List of ConfigMap or Secret resources that will have their contents mounted into the containers as files. Either configMap or secret is required.

Files will take the path <mountPath>/<key>, where key is the ConfigMap or Secret key. You can specify as many keys as you like in a single ConfigMap or Secret, and they will all be mounted to the same directory.

The ConfigMap and Secret resources must live in the same Kubernetes namespace as the Naisjob resource.

Type: array
Required: false
Availability: team namespaces

Example
spec:
  filesFrom:
    - configmap: example-files-configmap
      mountPath: /var/run/configmaps
    - mountPath: /var/run/secrets
      secret: my-secret-file
    - emptyDir:
        medium: Memory
      mountPath: /var/cache
    - mountPath: /var/run/pvc
      persistentVolumeClaim: pvc-name

filesFrom[].configmapΒΆ

Name of the ConfigMap that contains files that should be mounted into the container. Required unless secret or persistentVolumeClaim is set.

Type: string
Required: false

Example
spec:
  filesFrom:
    - configmap: example-files-configmap
      mountPath: /var/run/configmaps
    - mountPath: /var/run/secrets
      secret: my-secret-file
    - emptyDir:
        medium: Memory
      mountPath: /var/cache
    - mountPath: /var/run/pvc
      persistentVolumeClaim: pvc-name

filesFrom[].emptyDirΒΆ

Specification of an empty directory

Type: object
Required: false

Example
spec:
  filesFrom:
    - configmap: example-files-configmap
      mountPath: /var/run/configmaps
    - mountPath: /var/run/secrets
      secret: my-secret-file
    - emptyDir:
        medium: Memory
      mountPath: /var/cache
    - mountPath: /var/run/pvc
      persistentVolumeClaim: pvc-name

filesFrom[].emptyDir.mediumΒΆ

Type: enum
Required: false
Allowed values: Disk, Memory

Example
spec:
  filesFrom:
    - configmap: example-files-configmap
      mountPath: /var/run/configmaps
    - mountPath: /var/run/secrets
      secret: my-secret-file
    - emptyDir:
        medium: Memory
      mountPath: /var/cache
    - mountPath: /var/run/pvc
      persistentVolumeClaim: pvc-name

filesFrom[].mountPathΒΆ

Filesystem path inside the pod where files are mounted. The directory will be created if it does not exist. If the directory exists, any files in the directory will be made unaccessible.

Defaults to /var/run/configmaps/<NAME>, /var/run/secrets, or /var/run/pvc/<NAME>, depending on which of them is specified. For EmptyDir, MountPath must be set.

Type: string
Required: false

Example
spec:
  filesFrom:
    - configmap: example-files-configmap
      mountPath: /var/run/configmaps
    - mountPath: /var/run/secrets
      secret: my-secret-file
    - emptyDir:
        medium: Memory
      mountPath: /var/cache
    - mountPath: /var/run/pvc
      persistentVolumeClaim: pvc-name

filesFrom[].persistentVolumeClaimΒΆ

Name of the PersistentVolumeClaim that should be mounted into the container. Required unless configMap or secret is set. This feature requires coordination with the NAIS team.

Type: string
Required: false

Example
spec:
  filesFrom:
    - configmap: example-files-configmap
      mountPath: /var/run/configmaps
    - mountPath: /var/run/secrets
      secret: my-secret-file
    - emptyDir:
        medium: Memory
      mountPath: /var/cache
    - mountPath: /var/run/pvc
      persistentVolumeClaim: pvc-name

filesFrom[].secretΒΆ

Name of the Secret that contains files that should be mounted into the container. Required unless configMap or persistentVolumeClaim is set. If mounting multiple secrets, mountPath MUST be set to avoid collisions.

Type: string
Required: false

Example
spec:
  filesFrom:
    - configmap: example-files-configmap
      mountPath: /var/run/configmaps
    - mountPath: /var/run/secrets
      secret: my-secret-file
    - emptyDir:
        medium: Memory
      mountPath: /var/cache
    - mountPath: /var/run/pvc
      persistentVolumeClaim: pvc-name

gcpΒΆ

Type: object
Required: false
Availability: GCP

Example
spec:
  gcp:
    bigQueryDatasets:
      - cascadingDelete: true
        description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset1
        permission: READWRITE
      - description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset2
        permission: READ
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true
    permissions:
      - resource:
          apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
          kind: Project
          name: myteam-dev-ab23
        role: roles/cloudsql.client
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.bigQueryDatasetsΒΆ

Provision BigQuery datasets and give your application's pod mountable secrets for connecting to each dataset. Datasets are immutable and cannot be changed.

Relevant information:

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    bigQueryDatasets:
      - cascadingDelete: true
        description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset1
        permission: READWRITE
      - description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset2
        permission: READ

gcp.bigQueryDatasets[].cascadingDeleteΒΆ

When set to true will delete the dataset, when the application resource is deleted. NB: If no tables exist in the bigquery dataset, it will delete the dataset even if this value is set/defaulted to false. Default value is false.

Type: boolean
Required: false
Immutable: true

Example
spec:
  gcp:
    bigQueryDatasets:
      - cascadingDelete: true
        description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset1
        permission: READWRITE
      - description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset2
        permission: READ

gcp.bigQueryDatasets[].descriptionΒΆ

Human-readable description of what this BigQuery dataset contains, or is used for. Will be visible in the GCP Console.

Type: string
Required: false
Immutable: true

Example
spec:
  gcp:
    bigQueryDatasets:
      - cascadingDelete: true
        description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset1
        permission: READWRITE
      - description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset2
        permission: READ

gcp.bigQueryDatasets[].nameΒΆ

Name of the BigQuery Dataset. The canonical name of the dataset will be <TEAM_PROJECT_ID>:<NAME>.

Type: string
Required: true
Immutable: true
Pattern: ^[a-z0-9][a-z0-9_]+$

Example
spec:
  gcp:
    bigQueryDatasets:
      - cascadingDelete: true
        description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset1
        permission: READWRITE
      - description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset2
        permission: READ

gcp.bigQueryDatasets[].permissionΒΆ

Permission level given to application.

Type: enum
Required: true
Immutable: true
Allowed values: READ, READWRITE

Example
spec:
  gcp:
    bigQueryDatasets:
      - cascadingDelete: true
        description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset1
        permission: READWRITE
      - description: Contains big data, supporting big queries, for use in big ideas.
        name: my_bigquery_dataset2
        permission: READ

gcp.bucketsΒΆ

Provision cloud storage buckets and connect them to your application.

Relevant information:

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true

gcp.buckets[].cascadingDeleteΒΆ

Allows deletion of bucket. Set to true if you want to delete the bucket.

Type: boolean
Required: false

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true

gcp.buckets[].lifecycleConditionΒΆ

Conditions for the bucket to use when selecting objects to delete in cleanup.

Relevant information:

Type: object
Required: false

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true
gcp.buckets[].lifecycleCondition.ageΒΆ

Condition is satisfied when the object reaches the specified age in days. These will be deleted.

Type: integer
Required: false

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true
gcp.buckets[].lifecycleCondition.createdBeforeΒΆ

Condition is satisfied when the object is created before midnight on the specified date. These will be deleted.

Type: string
Required: false

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true
gcp.buckets[].lifecycleCondition.numNewerVersionsΒΆ

Condition is satisfied when the object has the specified number of newer versions. The older versions will be deleted.

Type: integer
Required: false

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true
gcp.buckets[].lifecycleCondition.withStateΒΆ

Condition is satisfied when the object has the specified state.

Type: enum
Required: false
Allowed values: (empty string), ANY, ARCHIVED, LIVE

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true

gcp.buckets[].nameΒΆ

The name of the bucket

Type: string
Required: true

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true

gcp.buckets[].publicAccessPreventionΒΆ

Public access prevention allows you to prevent public access to your bucket.

Relevant information:

Type: boolean
Required: false
Default value: false

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true

gcp.buckets[].retentionPeriodDaysΒΆ

The number of days to hold objects in the bucket before it is allowed to delete them.

Type: integer
Required: false
Value range: 1-36500

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true

gcp.buckets[].uniformBucketLevelAccessΒΆ

Allows you to uniformly control access to your Cloud Storage resources. When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains.

Uniform access control can not be reversed after 90 days! This is controlled by Google.

Relevant information:

Type: boolean
Required: false
Default value: false

Example
spec:
  gcp:
    buckets:
      - cascadingDelete: true
        lifecycleCondition:
          age: 10
          createdBefore: "2020-01-01"
          numNewerVersions: 2
          withState: ARCHIVED
        name: my-cloud-storage-bucket
        publicAccessPrevention: true
        retentionPeriodDays: 30
        uniformBucketLevelAccess: true

gcp.permissionsΒΆ

List of additional permissions that should be granted to your application for accessing external GCP resources that have not been provisioned through NAIS.

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    permissions:
      - resource:
          apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
          kind: Project
          name: myteam-dev-ab23
        role: roles/cloudsql.client

gcp.permissions[].resourceΒΆ

IAM resource to bind the role to.

Type: object
Required: true

Example
spec:
  gcp:
    permissions:
      - resource:
          apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
          kind: Project
          name: myteam-dev-ab23
        role: roles/cloudsql.client
gcp.permissions[].resource.apiVersionΒΆ

Kubernetes APIVersion.

Type: string
Required: true

Example
spec:
  gcp:
    permissions:
      - resource:
          apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
          kind: Project
          name: myteam-dev-ab23
        role: roles/cloudsql.client
gcp.permissions[].resource.kindΒΆ

Kubernetes Kind.

Type: string
Required: true

Example
spec:
  gcp:
    permissions:
      - resource:
          apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
          kind: Project
          name: myteam-dev-ab23
        role: roles/cloudsql.client
gcp.permissions[].resource.nameΒΆ

Kubernetes Name.

Type: string
Required: false

Example
spec:
  gcp:
    permissions:
      - resource:
          apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
          kind: Project
          name: myteam-dev-ab23
        role: roles/cloudsql.client

gcp.permissions[].roleΒΆ

Name of the GCP role to bind the resource to.

Type: string
Required: true

Example
spec:
  gcp:
    permissions:
      - resource:
          apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
          kind: Project
          name: myteam-dev-ab23
        role: roles/cloudsql.client

gcp.sqlInstancesΒΆ

Provision database instances and connect them to your application. Only one item allowed in the list.

Relevant information:

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].autoBackupHourΒΆ

If specified, run automatic backups of the SQL database at the given hour. Note that this will backup the whole SQL instance, and not separate databases. Restores are done using the Google Cloud Console.

Type: integer
Required: false
Value range: 0-23

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].cascadingDeleteΒΆ

Remove the entire Postgres server including all data when the Kubernetes resource is deleted. THIS IS A DESTRUCTIVE OPERATION! Set cascading delete only when you want to remove data forever.

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].collationΒΆ

Sort order for ORDER BY ... clauses.

Type: string
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].databasesΒΆ

List of one database or less(!) that should be created on this Postgres server. If not present, a default database with the same name as the application will be created.

Type: array
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].databases[].envVarPrefixΒΆ

Prefix to add to environment variables made available for database connection. If switching to EnvVarPrefix you need to reset database credentials.

Type: string
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].databases[].nameΒΆ

Database name. Be aware that only one database with this name is allowed in a namespace, regardless of which SQLInstance it belongs to

Type: string
Required: true

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].databases[].usersΒΆ

Add extra users for database access. These users need to be manually given access to database tables.

Type: array
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].databases[].users[].nameΒΆ

User name.

Type: string
Required: true
Pattern: ^[_a-zA-Z][-_a-zA-Z0-9]+$

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].diskAutoresizeΒΆ

When set to true, GCP will automatically increase storage by XXX for the database when disk usage is above the high water mark. Setting this field to true also disables manual control over disk size, i.e. the diskSize parameter will be ignored.

Relevant information:

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].diskAutoresizeLimitΒΆ

The maximum size, in GB, to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit.

Type: integer
Required: false
Default value: 0
Value range: 0-1000

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].diskSizeΒΆ

How much hard drive space to allocate for the SQL server, in gigabytes. This parameter is used when first provisioning a server. Disk size can be changed using this field only when diskAutoresize is set to false.

Type: integer
Required: false
Minimum value: 10

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].diskTypeΒΆ

Disk type to use for storage in the database.

Type: enum
Required: false
Allowed values: HDD, SSD

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].flagsΒΆ

Set flags to control the behavior of the instance. Be aware that NAIS does not validate these flags, so take extra care to make sure the values match against the specification, otherwise your deployment will seemingly work OK, but the database flags will not function as expected.

Experimental feature

This feature has not undergone much testing, and is subject to API change, instability, or removal.

Relevant information:

Type: array
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].flags[].nameΒΆ

Name of the flag.

Type: string
Required: true

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].flags[].valueΒΆ

Value of the flag.

Type: string
Required: true

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].highAvailabilityΒΆ

When set to true this will set up standby database for failover.

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].insightsΒΆ

Configures query insights which are now default for new sql instances.

Type: object
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].insights.enabledΒΆ

True if Query Insights feature is enabled.

Type: boolean
Required: false
Default value: true

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].insights.queryStringLengthΒΆ

Maximum query length stored in bytes. Between 256 and 4500. Default to 1024.

Type: integer
Required: false
Value range: 256-4500

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].insights.recordApplicationTagsΒΆ

True if Query Insights will record application tags from query when enabled.

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].insights.recordClientAddressΒΆ

True if Query Insights will record client address when enabled.

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].maintenanceΒΆ

Desired maintenance window for database updates.

Type: object
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].maintenance.dayΒΆ

Type: integer
Required: false
Value range: 1-7

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12
gcp.sqlInstances[].maintenance.hourΒΆ

Type: integer
Required: false
Value range: 0-23

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].nameΒΆ

The name of the instance, if omitted the application name will be used.

Type: string
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].pointInTimeRecoveryΒΆ

Enables point-in-time recovery for sql instances using write-ahead logs.

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].retainedBackupsΒΆ

Number of daily backups to retain. Defaults to 7 backups. The number of retained backups must be greater or equal to TransactionLogRetentionDays.

Relevant information:

Type: integer
Required: false
Default value: 7
Value range: 1-365

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].tierΒΆ

Server tier, i.e. how much CPU and memory allocated. Available tiers are db-f1-micro, db-g1-small and custom db-custom-CPU-RAM. Custom instances must specify memory as a multiple of 256 MB and at least 3.75 GB (e.g. db-custom-1-3840 for 1 cpu, 3840 MB ram). The smallest possible instance is db-f1-micro, which is recommended only for development instances. For production workloads, please specify at least db-custom-1-3840.

Type: string
Required: true
Pattern: db-.+

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].transactionLogRetentionDaysΒΆ

The number of days of transaction logs gcp retains for point in time restores.

Relevant information:

Type: integer
Required: false
Default value: 7
Value range: 1-7

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

gcp.sqlInstances[].typeΒΆ

PostgreSQL version.

Relevant information:

Type: enum
Required: true
Allowed values: POSTGRES_11, POSTGRES_12, POSTGRES_13, POSTGRES_14, POSTGRES_15, POSTGRES_16

Example
spec:
  gcp:
    sqlInstances:
      - autoBackupHour: 1
        cascadingDelete: true
        collation: nb_NO.UTF8
        databases:
          - envVarPrefix: DB
            name: mydatabase
            users:
              - name: extra_user
        diskAutoresize: true
        diskAutoresizeLimit: 60
        diskSize: 30
        diskType: SSD
        flags:
          - name: max_connections
            value: "50"
        highAvailability: true
        insights:
          enabled: true
          queryStringLength: 4500
          recordApplicationTags: true
          recordClientAddress: true
        maintenance:
          day: 1
          hour: 4
        name: myinstance
        pointInTimeRecovery: true
        retainedBackups: 14
        tier: db-f1-micro
        transactionLogRetentionDays: 3
        type: POSTGRES_12

imageΒΆ

Your Naisjob's Docker image location and tag.

Type: string
Required: true

Example
spec:
  image: navikt/testapp:69.0.0

influxΒΆ

An Influxdb via Aiven. A typical use case is to store metrics from your application and visualize them in Grafana. See navikt/aiven-iac repository

Type: object
Required: false
Availability: GCP

Example
spec:
  influx:
    instance: influx-instance

influx.instanceΒΆ

Provisions an InfluxDB instance and configures your application to access it. Use the prefix: influx- + team that you specified in the navikt/aiven-iac repository.

Type: string
Required: true

Example
spec:
  influx:
    instance: influx-instance

kafkaΒΆ

Enable Aiven Kafka for your Naisjob.

Type: object
Required: false

Example
spec:
  kafka:
    pool: nav-dev
    streams: true

kafka.poolΒΆ

Configures your application to access an Aiven Kafka cluster.

Type: string
Required: true

Example
spec:
  kafka:
    pool: nav-dev

kafka.streamsΒΆ

Allow this app to use kafka streams

Relevant information:

Type: boolean
Required: false
Default value: false
Availability: GCP

Example
spec:
  kafka:
    streams: true

livenessΒΆ

Many Naisjobs running for long periods of time eventually transition to broken states, and cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy such situations. Read more about this over at the Kubernetes probes documentation.

Type: object
Required: false

Example
spec:
  liveness:
    failureThreshold: 10
    initialDelay: 20
    path: /isalive
    periodSeconds: 5
    port: 8080
    timeout: 1

liveness.failureThresholdΒΆ

When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.

Type: integer
Required: false
Default value: 3

Example
spec:
  liveness:
    failureThreshold: 10

liveness.initialDelayΒΆ

Number of seconds after the container has started before startup probes are initiated.

Type: integer
Required: false

Example
spec:
  liveness:
    initialDelay: 20

liveness.pathΒΆ

HTTP endpoint path that signals 200 OK if the application has started successfully.

Type: string
Required: true

Example
spec:
  liveness:
    path: /isalive

liveness.periodSecondsΒΆ

How often (in seconds) to perform the probe.

Type: integer
Required: false
Default value: 10

Example
spec:
  liveness:
    periodSeconds: 5

liveness.portΒΆ

Port for the startup probe.

Type: integer
Required: false

Example
spec:
  liveness:
    port: 8080

liveness.timeoutΒΆ

Number of seconds after which the probe times out.

Type: integer
Required: false
Default value: 1

Example
spec:
  liveness:
    timeout: 1

logformatΒΆ

Format of the logs from the container. Use this if the container doesn't support JSON logging and the log is in a special format that need to be parsed.

Type: enum
Required: false
Allowed values: (empty string), accesslog, accesslog_with_processing_time, accesslog_with_referer_useragent, capnslog, glog, gokit, influxdb, log15, logrus, redis, simple

Example
spec:
  logformat: accesslog_with_referer_useragent

logtransformΒΆ

Extra filters for modifying log content. This can e.g. be used for setting loglevel based on http status code.

Type: enum
Required: false
Allowed values: dns_loglevel, http_loglevel

Example
spec:
  logtransform: http_loglevel

maskinportenΒΆ

Configures a Maskinporten client for this Naisjob. See Maskinporten for more details.

Type: object
Required: false

Example
spec:
  maskinporten:
    enabled: true
    scopes:
      consumes:
        - name: skatt:scope.read
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'

maskinporten.enabledΒΆ

If enabled, provisions and configures a Maskinporten client with consumed scopes and/or Exposed scopes with DigDir.

Type: boolean
Required: true
Default value: false
Availability: team namespaces

Example
spec:
  maskinporten:
    enabled: true

maskinporten.scopesΒΆ

Schema to configure Maskinporten clients with consumed scopes and/or exposed scopes.

Type: object
Required: false

Example
spec:
  maskinporten:
    scopes:
      consumes:
        - name: skatt:scope.read
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'

maskinporten.scopes.consumesΒΆ

This is the Schema for the consumes and exposes API. consumes is a list of scopes that your client can request access to.

Type: array
Required: false

Example
spec:
  maskinporten:
    scopes:
      consumes:
        - name: skatt:scope.read
maskinporten.scopes.consumes[].nameΒΆ

The scope consumed by the application to gain access to an external organization API. Ensure that the NAV organization has been granted access to the scope prior to requesting access.

Relevant information:

Type: string
Required: true

Example
spec:
  maskinporten:
    scopes:
      consumes:
        - name: skatt:scope.read

maskinporten.scopes.exposesΒΆ

exposes is a list of scopes your application want to expose to other organization where access to the scope is based on organization number.

Type: array
Required: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].accessibleForAllΒΆ

Allow any organization to access the scope.

Type: boolean
Required: false
Default value: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].allowedIntegrationsΒΆ

Whitelisting of integration's allowed. Default is maskinporten

Relevant information:

Type: array
Required: false
Default value: maskinporten

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].atMaxAgeΒΆ

Max time in seconds for a issued access_token. Default is 30 sec.

Type: integer
Required: false
Default value: 30
Value range: 30-680

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].consumersΒΆ

External consumers granted access to this scope and able to request access_token.

Type: array
Required: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].consumers[].nameΒΆ

This is a describing field intended for clarity not used for any other purpose.

Type: string
Required: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].consumers[].orgnoΒΆ

The external business/organization number.

Type: string
Required: true
Pattern: ^\d{9}$

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].delegationSourceΒΆ

Delegation source for the scope. Default is empty, which means no delegation is allowed.

Relevant information:

Type: enum
Required: false
Allowed values: altinn

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].enabledΒΆ

If Enabled the configured scope is available to be used and consumed by organizations granted access.

Type: boolean
Required: true

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].nameΒΆ

The actual subscope combined with Product. Ensure that <Product><Name> matches Pattern.

Type: string
Required: true
Default value: false
Pattern: ^([a-zæøΓ₯0-9]+\/?)+(\:[a-zæøΓ₯0-9]+)*[a-zæøΓ₯0-9]+(\.[a-zæøΓ₯0-9]+)*$

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].productΒΆ

The product-area your application belongs to e.g. arbeid, helse ... This will be included in the final scope nav:<Product><Name>.

Type: string
Required: true
Pattern: ^[a-z0-9]+$

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'
maskinporten.scopes.exposes[].separatorΒΆ

Separator is the character that separates product and name in the final scope: scope := <prefix>:<product><separator><name> This overrides the default separator. The default separator is :. If name contains /, the default separator is instead /.

Type: string
Required: false
Pattern: ^[\/:]$

Example
spec:
  maskinporten:
    scopes:
      exposes:
        - accessibleForAll: true
          allowedIntegrations:
            - maskinporten
          atMaxAge: 30
          consumers:
            - name: KST
              orgno: "123456789"
          delegationSource: delegation-source
          enabled: true
          name: scope.read
          product: arbeid
          separator: ':'

observabilityΒΆ

Configuration options related to application observability.

Relevant information:

Type: object
Required: false

Example
spec:
  observability:
    autoInstrumentation:
      destinations:
        - id: my-destination
      enabled: true
      runtime: java
    logging:
      destinations:
        - id: my-destination
      enabled: true
    tracing:
      enabled: true

observability.autoInstrumentationΒΆ

Auto-instrumentiation for your application using OpenTelemetry for collecting telemetry data such as traces, metrics and logs.

Relevant information:

Type: object
Required: false

Example
spec:
  observability:
    autoInstrumentation:
      destinations:
        - id: my-destination
      enabled: true
      runtime: java

observability.autoInstrumentation.destinationsΒΆ

Destinations are where telemetry data should be stored.

Relevant information:

Type: array
Required: false

Example
spec:
  observability:
    autoInstrumentation:
      destinations:
        - id: my-destination
observability.autoInstrumentation.destinations[].idΒΆ

Destination ID.

Type: string
Required: true

Example
spec:
  observability:
    autoInstrumentation:
      destinations:
        - id: my-destination

observability.autoInstrumentation.enabledΒΆ

Enable automatic instrumentation of your application using OpenTelemetry Agent.

Type: boolean
Required: false

Example
spec:
  observability:
    autoInstrumentation:
      enabled: true

observability.autoInstrumentation.runtimeΒΆ

Application runtime. Supported runtimes are java, nodejs, python, sdk.

Type: enum
Required: false
Allowed values: java, nodejs, python, sdk

Example
spec:
  observability:
    autoInstrumentation:
      runtime: java

observability.loggingΒΆ

Configure logging for your application.

Relevant information:

Type: object
Required: false

Example
spec:
  observability:
    logging:
      destinations:
        - id: my-destination
      enabled: true

observability.logging.destinationsΒΆ

Log destinations for where to forward application logs for persistent storage. Leave empty to use default destinations.

Relevant information:

Type: array
Required: false

Example
spec:
  observability:
    logging:
      destinations:
        - id: my-destination
observability.logging.destinations[].idΒΆ

Type: string
Required: true

Example
spec:
  observability:
    logging:
      destinations:
        - id: my-destination

observability.logging.enabledΒΆ

Enable forwarding of application logs to persistent storage.

Type: boolean
Required: false
Default value: true

Example
spec:
  observability:
    logging:
      enabled: true

openSearchΒΆ

To get your own OpenSearch instance head over to the IaC-repo to provision each instance. See navikt/aiven-iac repository.

Type: object
Required: false

Example
spec:
  openSearch:
    access: readwrite
    instance: my-open-search-instance

openSearch.accessΒΆ

Access level for OpenSearch user

Type: enum
Required: false
Allowed values: admin, read, readwrite, write

Example
spec:
  openSearch:
    access: readwrite

openSearch.instanceΒΆ

Configure your application to access your OpenSearch instance. The last part of the name used when creating the instance (ie. opensearch-{team}-{instance})

Type: string
Required: true

Example
spec:
  openSearch:
    instance: my-open-search-instance

parallelismΒΆ

For running pods in parallel. If it is specified as 0, then the Job is effectively paused until it is increased.

Relevant information:

Type: integer
Required: false
Default value: 1

Example
spec:
  parallelism: 1

preStopHookΒΆ

PreStopHook is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits by itself. The reason for termination is passed to the handler.

Relevant information:

Type: object
Required: false

Example
spec:
  preStopHook:
    exec:
      command:
        - ./my
        - --shell
        - script
    http:
      path: /internal/stop
      port: 8080

preStopHook.execΒΆ

Command that should be run inside the main container just before the pod is shut down by Kubernetes.

Type: object
Required: false

Example
spec:
  preStopHook:
    exec:
      command:
        - ./my
        - --shell
        - script

preStopHook.exec.commandΒΆ

Command is the command line to execute inside the container before the pod is shut down. The command is not run inside a shell, so traditional shell instructions (pipes, redirects, etc.) won't work. To use a shell, you need to explicitly call out to that shell.

If the exit status is non-zero, the pod will still be shut down, and marked as Failed.

Type: array
Required: false

Example
spec:
  preStopHook:
    exec:
      command:
        - ./my
        - --shell
        - script

preStopHook.httpΒΆ

HTTP GET request that is called just before the pod is shut down by Kubernetes.

Type: object
Required: false

Example
spec:
  preStopHook:
    http:
      path: /internal/stop
      port: 8080

preStopHook.http.pathΒΆ

Path to access on the HTTP server.

Type: string
Required: true

Example
spec:
  preStopHook:
    http:
      path: /internal/stop

preStopHook.http.portΒΆ

Port to access on the container. Defaults to application port, as defined in .spec.port.

Type: integer
Required: false
Value range: 1-65535

Example
spec:
  preStopHook:
    http:
      port: 8080

readinessΒΆ

Sometimes, Naisjobs are temporarily unable to serve traffic. For example, an Naisjob might need to load large data or configuration files during startup, or depend on external services after startup. In such cases, you don't want to kill the Naisjob, but you don’t want to send it requests either. Kubernetes provides readiness probes to detect and mitigate these situations. A pod with containers reporting that they are not ready does not receive traffic through Kubernetes Services. Read more about this over at the Kubernetes readiness documentation.

Type: object
Required: false

Example
spec:
  readiness:
    failureThreshold: 10
    initialDelay: 20
    path: /isready
    periodSeconds: 5
    port: 8080
    timeout: 1

readiness.failureThresholdΒΆ

When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.

Type: integer
Required: false

Example
spec:
  readiness:
    failureThreshold: 10

readiness.initialDelayΒΆ

Number of seconds after the container has started before startup probes are initiated.

Type: integer
Required: false

Example
spec:
  readiness:
    initialDelay: 20

readiness.pathΒΆ

HTTP endpoint path that signals 200 OK if the application has started successfully.

Type: string
Required: true

Example
spec:
  readiness:
    path: /isready

readiness.periodSecondsΒΆ

How often (in seconds) to perform the probe.

Type: integer
Required: false

Example
spec:
  readiness:
    periodSeconds: 5

readiness.portΒΆ

Port for the startup probe.

Type: integer
Required: false

Example
spec:
  readiness:
    port: 8080

readiness.timeoutΒΆ

Number of seconds after which the probe times out.

Type: integer
Required: false

Example
spec:
  readiness:
    timeout: 1

redisΒΆ

List of redis instances this job needs credentials for. Must be owned by same team.

Relevant information:

Type: array
Required: false

redis[].accessΒΆ

Access level for redis user

Type: enum
Required: false
Allowed values: admin, read, readwrite, write

redis[].instanceΒΆ

The last part of the name used when creating the instance (ie. redis-{team}-{instance})

Type: string
Required: false

resourcesΒΆ

When Containers have resource requests specified, the Kubernetes scheduler can make better decisions about which nodes to place pods on.

Relevant information:

Type: object
Required: false

Example
spec:
  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 200m
      memory: 256Mi

resources.limitsΒΆ

Limit defines the maximum amount of resources a container can use before getting evicted.

Type: object
Required: false

Example
spec:
  resources:
    limits:
      cpu: 500m
      memory: 512Mi

resources.limits.cpuΒΆ

Type: string
Required: false
Default value: 500m
Pattern: ^\d+m?$

Example
spec:
  resources:
    limits:
      cpu: 500m

resources.limits.memoryΒΆ

Type: string
Required: false
Default value: 512Mi
Pattern: ^\d+[KMG]i$

Example
spec:
  resources:
    limits:
      memory: 512Mi

resources.requestsΒΆ

Request defines the amount of resources a container is allocated on startup.

Type: object
Required: false

Example
spec:
  resources:
    requests:
      cpu: 200m
      memory: 256Mi

resources.requests.cpuΒΆ

Type: string
Required: false
Default value: 200m
Pattern: ^\d+m?$

Example
spec:
  resources:
    requests:
      cpu: 200m

resources.requests.memoryΒΆ

Type: string
Required: false
Default value: 256Mi
Pattern: ^\d+[KMG]i$

Example
spec:
  resources:
    requests:
      memory: 256Mi

restartPolicyΒΆ

RestartPolicy describes how the container should be restarted. Only one of the following restart policies may be specified. If none of the following policies is specified, the default one is Never. Read more about Kubernetes handling pod and container failures

Type: enum
Required: false
Default value: Never
Allowed values: Never, OnFailure

Example
spec:
  restartPolicy: Never

scheduleΒΆ

The Cron schedule for running the Naisjob. If not specified, the Naisjob will be run as a one-shot Job. The timezone for Naisjobs defaults to UTC.

Type: string
Required: false

Example
spec:
  schedule: '*/15 0 0 0 0'

secureLogsΒΆ

Whether or not to enable a sidecar container for secure logging.

Type: object
Required: false

Example
spec:
  secureLogs:
    enabled: true

secureLogs.enabledΒΆ

Whether to enable a sidecar container for secure logging. If enabled, a volume is mounted in the pods where secure logs can be saved.

Type: boolean
Required: true
Default value: false

Example
spec:
  secureLogs:
    enabled: true

skipCaBundleΒΆ

Whether to skip injection of NAV certificate authority bundle or not. Defaults to false.

Type: boolean
Required: false

Example
spec:
  skipCaBundle: true

startupΒΆ

Kubernetes uses startup probes to know when a container application has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the application startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running.

Type: object
Required: false

Example
spec:
  startup:
    failureThreshold: 10
    initialDelay: 20
    path: /started
    periodSeconds: 5
    port: 8080
    timeout: 1

startup.failureThresholdΒΆ

When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.

Type: integer
Required: false

Example
spec:
  startup:
    failureThreshold: 10

startup.initialDelayΒΆ

Number of seconds after the container has started before startup probes are initiated.

Type: integer
Required: false

Example
spec:
  startup:
    initialDelay: 20

startup.pathΒΆ

HTTP endpoint path that signals 200 OK if the application has started successfully.

Type: string
Required: true

Example
spec:
  startup:
    path: /started

startup.periodSecondsΒΆ

How often (in seconds) to perform the probe.

Type: integer
Required: false

Example
spec:
  startup:
    periodSeconds: 5

startup.portΒΆ

Port for the startup probe.

Type: integer
Required: false

Example
spec:
  startup:
    port: 8080

startup.timeoutΒΆ

Number of seconds after which the probe times out.

Type: integer
Required: false

Example
spec:
  startup:
    timeout: 1

successfulJobsHistoryLimitΒΆ

Specify how many completed Jobs should be kept.

Type: integer
Required: false
Default value: 3

Example
spec:
  successfulJobsHistoryLimit: 2

terminationGracePeriodSecondsΒΆ

The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. For most jobs, the default is more than enough. Defaults to 30 seconds.

Type: integer
Required: false
Value range: 0-180

Example
spec:
  terminationGracePeriodSeconds: 60

timeZoneΒΆ

TimeZone for Naisjobs. Defaults to UTC. Only used if Schedule is specified. Specify a valid IANA timezone.

Type: string
Required: false

Example
spec:
  timeZone: Europe/Oslo

ttlSecondsAfterFinishedΒΆ

Specify the number of seconds to wait before removing the Job after it has finished (either Completed or Failed). If the field is unset, this Job won't be cleaned up by the TTL controller after it finishes.

Type: integer
Required: false

Example
spec:
  ttlSecondsAfterFinished: 60

vaultΒΆ

Provides secrets management, identity-based access, and encrypting application data for auditing of secrets for applications, systems, and users.

Relevant information:

Type: object
Required: false
Availability: on-premises

Example
spec:
  vault:
    enabled: true
    paths:
      - format: env
        kvPath: /kv/preprod/fss/application/namespace
        mountPath: /var/run/secrets/nais.io/vault

vault.enabledΒΆ

If set to true, fetch secrets from Vault and inject into the pods.

Type: boolean
Required: false

Example
spec:
  vault:
    enabled: true

vault.pathsΒΆ

List of secret paths to be read from Vault and injected into the pod's filesystem. Overriding the paths array is optional, and will give you fine-grained control over which Vault paths that will be mounted on the file system.

By default, the list will contain an entry with

kvPath: /kv/<environment>/<zone>/<application>/<namespace> mountPath: /var/run/secrets/nais.io/vault

that will always be attempted to be mounted.

Type: array
Required: false

Example
spec:
  vault:
    paths:
      - format: env
        kvPath: /kv/preprod/fss/application/namespace
        mountPath: /var/run/secrets/nais.io/vault

vault.paths[].formatΒΆ

Format of the secret that should be processed.

Type: enum
Required: false
Allowed values: (empty string), env, flatten, json, properties, yaml

Example
spec:
  vault:
    paths:
      - format: env
        kvPath: /kv/preprod/fss/application/namespace
        mountPath: /var/run/secrets/nais.io/vault

vault.paths[].kvPathΒΆ

Path to Vault key/value store that should be mounted into the file system.

Type: string
Required: true

Example
spec:
  vault:
    paths:
      - format: env
        kvPath: /kv/preprod/fss/application/namespace
        mountPath: /var/run/secrets/nais.io/vault

vault.paths[].mountPathΒΆ

File system path that the secret will be mounted into.

Type: string
Required: true

Example
spec:
  vault:
    paths:
      - format: env
        kvPath: /kv/preprod/fss/application/namespace
        mountPath: /var/run/secrets/nais.io/vault

webproxyΒΆ

Inject on-premises web proxy configuration into the job container. Most Linux applications should auto-detect these settings from the $HTTP_PROXY, $HTTPS_PROXY and $NO_PROXY environment variables (and their lowercase counterparts). Java applications can start the JVM using parameters from the $JAVA_PROXY_OPTIONS environment variable.

Type: boolean
Required: false
Availability: on-premises

Example
spec:
  webproxy: true