Skip to main content
Version: 1.1

Custom Resource Definitions

Packages

aws.appvia.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the AWS v1alpha1 API group

Resource Types:

ExternalVPC

ExternalVPC is the Schema for the non-wayfinder managed vpc

FieldDescription
apiVersion
string
aws.appvia.io/v1alpha1
kind
string
ExternalVPC
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ExternalVPCSpec
accountID
string

AccountID is the account is different we need to peer with

description
string

Description describes what the network is for / pointing to

providerSourceRef
Ownership

ProviderSourceRef is a reference to the cloudaccount for the source

region
string

Region is the AWS region the account exists

routeTableSelector
map[string]string

RouteTableSelector is used to filter in the route tables for this network. When adding routes these are used to add the routes to

routes
[]string

Routes is route we should advertise into the source network

vpcID
string

VPCID is the vpc id we need to connect to

status
ExternalVPCStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

SecurityGroupRule

SecurityGroupRule is the Schema for the security group rule

FieldDescription
apiVersion
string
aws.appvia.io/v1alpha1
kind
string
SecurityGroupRule
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
SecurityGroupRuleSpec
description
string

Description provides a human readiable description for the existence

networkRef
Ownership

NetworkRef is the source network the security group is attached to

securityGroupSelector
map[string]string

SecurityGroupSelector is a selector used to find the security groups

providerRef
Ownership

ProviderRef is a reference to the credentials to use for the api access

protocol
string

Protocol is the networking protocol - i.e. tcp or udp

portRangeFrom
int64

PortRangeFrom is the port range being allowed

portRangeTo
int64

PortRangeTo is the port range being allowed

sources
[]string

Sources is a collection of network ranges

status
SecurityGroupRuleStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

phase
string

Phase indicates the current phase of the rule - i.e create or not

ExternalVPCSpec

(Appears on: ExternalVPC)

ExternalVPCSpec defines the desired state of non-wayfinder managed vpc resource

FieldDescription
accountID
string

AccountID is the account is different we need to peer with

description
string

Description describes what the network is for / pointing to

providerSourceRef
Ownership

ProviderSourceRef is a reference to the cloudaccount for the source

region
string

Region is the AWS region the account exists

routeTableSelector
map[string]string

RouteTableSelector is used to filter in the route tables for this network. When adding routes these are used to add the routes to

routes
[]string

Routes is route we should advertise into the source network

vpcID
string

VPCID is the vpc id we need to connect to

ExternalVPCStatus

(Appears on: ExternalVPC)

ExternalVPCStatus defines the observed state of an non-managed wayfinder vpc

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

SecurityGroupRuleSpec

(Appears on: SecurityGroupRule)

SecurityGroupRuleSpec defines the desired state of security group rule

FieldDescription
description
string

Description provides a human readiable description for the existence

networkRef
Ownership

NetworkRef is the source network the security group is attached to

securityGroupSelector
map[string]string

SecurityGroupSelector is a selector used to find the security groups

providerRef
Ownership

ProviderRef is a reference to the credentials to use for the api access

protocol
string

Protocol is the networking protocol - i.e. tcp or udp

portRangeFrom
int64

PortRangeFrom is the port range being allowed

portRangeTo
int64

PortRangeTo is the port range being allowed

sources
[]string

Sources is a collection of network ranges

SecurityGroupRuleStatus

(Appears on: SecurityGroupRule)

SecurityGroupRuleStatus defines the observed state of a security group rule

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

phase
string

Phase indicates the current phase of the rule - i.e create or not

cloudaccess.appvia.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the CloudAccess API group

Resource Types:

CloudAccount

CloudAccount represents an account/project/subscription in a cloud provider which Wayfinder should know about

FieldDescription
apiVersion
string
cloudaccess.appvia.io/v1alpha1
kind
string
CloudAccount
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
CloudAccountSpec
name
string

Name is the unique logical name for this cloud account

description
string

Description is an optional longer human-readable description of this cloud account to help users understand which cloud account to choose.

cloud
string

Cloud defines which cloud provider this account is for

identifier
string

Identifier is the unique identifier for this account with the cloud provider, i.e. AWS account ID, GCP project ID, Azure subscription, etc. Required unless the accountType is managed.

For accountType organization this should be the account ID/subscription ID/project ID to place shared org-wide resources such as DNS root zones, etc. For AWS this must be the same AWS Master Account ID used for OrgIdentifier.

To use the identifier for a CloudAccount, ALWAYS reference Status.Identifier, not this field, as this will be unpopulated and ignored on managed accounts.

orgIdentifier
string

OrgIdentifier, required only for accountType organization and must be populated with the identifier for the organization - for example, AWS Master Account ID, Azure Tenant ID, GCP Organization ID, etc.

Ignored if accountType is not organization.

accountType
string

AccountType identifies whether this is an organization account (which can be used by Wayfinder to create managed accounts), a shared account (used directly to build workspace infrastructure), or a managed acccount (created by Wayfinder’s account management features)

defaultRegion
string

DefaultRegion is an optional default region to use for API access in this account when no region is specified for the operation. This is used to determine, for example, which region to use to talk to global services such as Route53 in AWS. E.g. eu-west-2, europe-west2, uksouth

parentAccount
CloudAccountReference

ParentAccount is a reference to another CloudAccount (with account type ‘organization’) of this cloud account, for managed (required) and shared (optional) accounts.

providerDetails
CloudAccountProviderDetails

ProviderDetails provides additional fields which can be used for cloud-provider specific data, such as a GCP billing account ID.

stages
[]string

Stages lists the stages that this cloudaccount may be used for

namingRules
[]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountNamingRule

NamingRules describes for Organization type accounts how to name child accounts based on the plan chosen. Required for account factory functionality to operate for an Organization account.

identityCred
CloudCredentialReference

IdentityCred is a reference to the credential for Wayfinder to identify itself to this cloud provider when using this account.

To use workload identity, specify an empty namespace and name - this will only work if Workload Identity has been configured in the Wayfinder management cluster, this account is in the same cloud provider as the management cluster, and that workload identity is given access to this account)

features
[]string

Features lists the ways in which it is intended for this cloud account to be used. This will allow the relevant set of roles to be determined for this cloud account.

roles
[]CloudAccountRole

Roles defines the possible ways in which Wayfinder can use this account, along with details of how Wayfinder should identify itself (or provider-specific roles that need to be assumed) to use this account in the specified way. The set of roles required for a cloud account is defined by the enabled features.

userRoles
[]string

UserRoles are the roles which will be available for user access into this cloud account

allocation
ResourceAllocation

Allocation describes which workspaces can use this cloud account.

orgUserRoles
[]OrgUserRole

OrgUserRoles is the set of user roles to make available in child accounts of this org

Ignored if accountType is not organization.

status
CloudAccountStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

identifier
string

Identifier is the assigned unique identifier for this account. For emanaged accounts this will be the identifier for the created account. For all other accounts, this will be the value provided in Spec.Identifier.

This field should ALWAYS be used if you need the correct identifier for a cloud account. Do not rely on Spec.Identifier which is unpopulated for managed accounts.

providerAccountRef
Ownership

ProviderAccountRef is a reference to the provider account for this cloud account where the type is managed.

providerStatus
ProviderStatus

ProviderStatus can be populated with provider-specific status information, particularly relevant on accounts of type managed.

features
map[string]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountFeatureStatus

Features describes the status of any features specified on this cloud account.

roles
map[string]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountRoleStatus

Roles provides the status of each underlying required role. The keys of the map are the role names.

userRoles
map[string]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountUserRoleStatus

UserRoles provides the status of the user roles on this cloud account

orgIdentifier
string

OrgIdentifier is the identifier for an organisation owner of this account when known identifier for the organization - for example, AWS Master Account ID, Azure Tenant ID, GCP Organization ID, etc.

CloudAccountClaim

CloudAccountClaim represents a request for a cloud account to come into existence for a workspace

FieldDescription
apiVersion
string
cloudaccess.appvia.io/v1alpha1
kind
string
CloudAccountClaim
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
CloudAccountClaimSpec
name
string

Name is the name of the account to create. Either Name or Stage must be populated.

Populate name to choose a custom name, and populate stage to follow the account naming rules for the parent.

stage
string

Stage is the lifecycle stage to create the cloud account for. Either Name or Stage must be populated.

Populate stage to following the account naming rules for the parent, and populate name to choose a custom name.

parent
CloudAccountReference

Parent is a reference to a CloudAccount which this claim should use for provisioning the account. If this is an Organization account, this will trigger the creation of a new account within this parent. If it is a Shared or Wayfinder Managed account, it will be validated and used directly. Any child account will inherit the Cloud provider from this parent.

status
CloudAccountClaimStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

name
string

Name is the resulting cloud account name

cloudAccountRef
CloudAccountReference

CloudAccountRef is a reference to the assigned or created cloud account

identifier
string

Identifier is the assigned account ID / project ID / subscription ID

CloudCredential

CloudCredential represents a set of credentials to access a cloud account which Wayfinder can use to perform its operations

FieldDescription
apiVersion
string
cloudaccess.appvia.io/v1alpha1
kind
string
CloudCredential
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
CloudCredentialSpec
name
string

Name is a human-understandable name for this credential

cloud
string

Cloud defines which cloud provider this credential is for

implicitIdentity
bool

ImplicitIdentity specifies that any credentials are provided by the run time process environment and NOT a secret reference. Typically this means that workload identity is to be used.

implicitIdentityID
string

ImplicitIdentityID specifies any ID that the run time process environment needs to authenticate to a specific identity where more than one can be assigned to a process

credentialsInputData
map[string]string

CredentialsInputData can be used to populate the secret when creating/updating a credential. This will never be populated when the credential is returned from the API.

If specified, this must include the correct set of keys for credentials for the cloud provider that CloudAccount references.

secretRef
Kubernetes core/v1.SecretReference

SecretRef is a reference to the Kubernetes secret containing the actual key data for this credential. If the secret does not exist but CredentialsInputData is populated, this secret will be created. This can also be a reference to an existing secret managed outside Wayfinder.

Where CredentialsInputData is specified but this is left blank, Wayfinder will assign this value.

credentialsUpdated
Kubernetes meta/v1.Time

CredentialsUpdated should be set to the current time when an underlying secret is updated. This will be automatically set to the current time if CredentialsInputData is set. If you manually change the secret outside Wayfinder, update this field to trigger re-verification of this credential.

status
CloudCredentialStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

verified
bool

Verified checks that the credentials are ok and valid

identity
string

Identity is the unique reference to the cloud principle e.g. aws role, gcp service-account etc.

WorkloadIdentity

WorkloadIdentity represents an identity for a kubernetes workload in a specific cloud provider / cloud account

FieldDescription
apiVersion
string
cloudaccess.appvia.io/v1alpha1
kind
string
WorkloadIdentity
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
WorkloadIdentitySpec
cloud
string

Cloud defines which cloud provider this workload identity is for

cloudAccount
CloudAccountReference

CloudAccount defines which cloud account to build this workload identity in

cluster
Ownership

Cluster is a reference to the cluster which this workload identity will be used in.

clusterServiceAccount
ClusterServiceAccount

ClusterServiceAccount is the name and namespace of the service account which will use this identity in the target cluster. Required on AWS and GCP, optional (and unused) on Azure at this time.

providerDetails
WorkloadIdentityProviderDetails

ProviderDetails provides additional fields which can be used for cloud-provider specific data needed to provision a workload identity

role
WorkloadIdentityRole

Role must be the name of a valid workload identity role known to Wayfinder

roleParameters
map[string]string

RoleParameters are any parameters required for the specified role

cloudResourceName
string

CloudResourceName specifies the name of the workload identity in the cloudaccount Can be left blank so that the name is derived from the cluster name + resource name

status
WorkloadIdentityStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

identity
string

Identity contains a cloud-provider specific reference to the identity created for this resource, e.g. an AWS ARN or GCP service account email

AWSAccountParameters

(Appears on: CloudAccountProviderDetails)

AWSAccountParameters provides the specific parameters for an AWS account

AWSAccountStatus

(Appears on: ProviderStatus)

AWSAccountStatus provides status specific to AWS accounts

FieldDescription
serviceCatalogProvisioningID
string

ServiceCatalogProvisioningID is the Control Tower Account Factory Service Catalog provisioning record ID. If set, creation is being tracked. Relevant only to managed AWS accounts

AWSOrganizationParameters

(Appears on: CloudAccountProviderDetails)

AWSOrganizationParameters provides the specific parameters for an AWS organisation account

FieldDescription
ssoUser
AWSSSOUser

SsoUser is the user who will be the organisational account owner for all accounts. Required if feature AccountManagement enabled.

ouName
string

OuName is the name of the parent Organizational Unit (OU) to use for provisioning accounts Required if feature AccountManagement enabled.

region
string

Region is the region where control tower is enabled in the master account Required if feature AccountManagement enabled.

userRoles
map[string]string

UserRoles contains the ARNs of stacksets to create instances of in each managed account

AWSSSOUser

(Appears on: AWSOrganizationParameters)

AWSSSOUser describes the details required to identify an AWS SSO user to user for all accounts

FieldDescription
email
string

Email is the unique user email address specified for the AWS SSO user Required if feature AccountManagement enabled.

firstName
string

FirstName is the firstname(s) field for an AWS SSO user Required if feature AccountManagement enabled.

lastName
string

LastName is the last name of an SSO user Required if feature AccountManagement enabled.

AWSWorkloadIdentityParameters

(Appears on: WorkloadIdentityProviderDetails)

AWSWorkloadIdentityParameters is the parameters for an AWS workload identity

AccessAssumption

AccessAssumption describes a request to assume access to a cloud account

FieldDescription
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
AccessAssumptionSpec
cloudAccount
CloudAccountReference

CloudAccount specifies which cloud account this access request is for

role
string

Role identifies which role to assume (must be present in UserRoles for the referenced CloudAccount)

portal
bool

Portal indicates that this request is for portal rather than API/CLI access

AccessAssumptionPermission

(Appears on: AccessAssumptionPermissions)

AccessAssumptionPermission desribes whether the current user can access a specific user role

FieldDescription
userRole
string

UserRole identifies which role this permission is for

status
CloudAccountUserRoleStatus

Status indicates the current status of this user role

userRole
string

UserRole is the role this status describes

assumeProviderRole
string

AssumeProviderRole may be populated for a specific cloud provider in order to describe how Wayfinder will orchestrate user access into this role

status
Status

Status provides an overall status.

message
string

Message is the description of the current status.

allowed
bool

Allowed will indicate if the user is currently allowed to assume this role

denyReasons
[]DenyReason

DenyReasons lists zero or more reasons why the user may not be able to currently assume this role. May not always be populated.

AccessAssumptionPermissions

AccessAssumptionPermissions describes what roles the current user can access

FieldDescription
Account
CloudAccountReference

Account specifies which cloud account this permission reference is for

User
string

User specifies which user this permission reference is for

accountType
string

AccountType details the type of cloud account we’re talking about, provided for convenience

cloud
string

Cloud details which cloud this cloud account is for, provided for convenience

userRoles
map[string]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.AccessAssumptionPermission

UserRoles describes the available user roles on this cloud account

AccessAssumptionResult

AccessAssumptionResult is the returned details of performing an assumption, including the temporary credentials for the session created for the user

FieldDescription
credentials
map[string]string

Credentials will be populated with the appropriate key-value pairs to access the cloud provider in question. The keys of this will vary with the cloud provider.

expires
Kubernetes meta/v1.Time

Expires is the time the requested access expires

AccessAssumptionSpec

(Appears on: AccessAssumption)

AccessAssumptionSpec describes the account and role that the assumption is targeting

FieldDescription
cloudAccount
CloudAccountReference

CloudAccount specifies which cloud account this access request is for

role
string

Role identifies which role to assume (must be present in UserRoles for the referenced CloudAccount)

portal
bool

Portal indicates that this request is for portal rather than API/CLI access

AzureSubscriptionParameters

(Appears on: CloudAccountProviderDetails)

AzureSubscriptionParameters provides the specific parameters for an Azure subscription

AzureTenantParameters

(Appears on: CloudAccountProviderDetails)

AzureTenantParameters provides the specific parameters for an Azure tenant (organisation) account

FieldDescription
agreementType
string

AgreementType defines whether we’re building subscriptions in an MCA or Enterprise Agreement backed Azure setup

ownerObjectID
string

OwnerObjectID specifies the Object ID of an Azure AD group, user or service principal to grant Owner privilege on all created subscriptions. This is required to ensure that generated subscriptions are owned by an object controlled by your company.

Example: 8bf96a8f-abcd-ef12-a389-883d6116a5da

contributorObjectID
string

ContributorObjectID specifies an optional object ID of an Azure AD group, user or service principal to grant Contributor privilege on all created subscriptions.

Example: 8bf96a8f-dcef-abc1-a389-883d6116a5da

managementGroupID
string

ManagementGroupID specifies an optional ID of an Azure Management Group in which subscriptions created by Wayfinder should be placed.

Example: wf-subscription-mgt-group

billingAccount
string

BillingAccount is the billing account identifier. Required for both agreement types.

Example (super-catchy, isn’t it): aaa111b-abcd-ef01-2345-bcdabc123fed:1234aaab-0100-1234-abcd-abcd0123abcd_2019-05-31

enrollmentAccount
string

EnrollmentAccount defines for an Enterprise Agreement agreement type which enrollment account to create subscriptions within. Required for EA.

Example: 7654321

billingProfile
string

BillingProfile defined for an MCA agreement type which billing profile contains the invoice section you wish subscriptions to be created in. Required for MCA.

Example: AW4F-APQW-0AH-ABC

invoiceSection
string

InvoiceSection defines for an MCA agreement type which invoice section to create subscriptions within inside the selected BillingProfile. Required for MCA.

Example: PQRS-ALDS-012-DEF

AzureWorkloadIdentityParameters

(Appears on: WorkloadIdentityProviderDetails)

AzureWorkloadIdentityParameters is the parameters for an Azure workload identity

CloudAccountClaimSpec

(Appears on: CloudAccountClaim)

CloudAccountClaimSpec defines the desired state of CloudAccountClaim

FieldDescription
name
string

Name is the name of the account to create. Either Name or Stage must be populated.

Populate name to choose a custom name, and populate stage to follow the account naming rules for the parent.

stage
string

Stage is the lifecycle stage to create the cloud account for. Either Name or Stage must be populated.

Populate stage to following the account naming rules for the parent, and populate name to choose a custom name.

parent
CloudAccountReference

Parent is a reference to a CloudAccount which this claim should use for provisioning the account. If this is an Organization account, this will trigger the creation of a new account within this parent. If it is a Shared or Wayfinder Managed account, it will be validated and used directly. Any child account will inherit the Cloud provider from this parent.

CloudAccountClaimStatus

(Appears on: CloudAccountClaim)

CloudAccountClaimStatus defines the observed state of the provisioned account

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

name
string

Name is the resulting cloud account name

cloudAccountRef
CloudAccountReference

CloudAccountRef is a reference to the assigned or created cloud account

identifier
string

Identifier is the assigned account ID / project ID / subscription ID

CloudAccountFeatureStatus

(Appears on: CloudAccountStatus)

CloudAccountFeatureStatus describes the status of a cloud account feature

FieldDescription
ready
bool

Ready indicates whether this feature is ready to use.

setupRequired
bool

SetupRequired indicates this feature needs wayfinder setup roles run to sort it out (i.e. one or more roles is missing, requires a provider role specifying, or requires updating). This will be false if a role is correct and specified but somehow not valid.

requiredRoles
[]string

RequiredRoles indicates the list of roles that this cloud account needs working in order for this feature to work. Each role identified here will have an entry in status.Roles to understand the status of these underlying roles.

CloudAccountNamingRule

CloudAccountNamingRule describes the rules for naming a child account based on the selected plan

FieldDescription
name
string

Name is the given name of the rule

description
string

Description provides an optional description for the account rule

stages
[]string

Stages is a list of stages permitted

suffix
string

Suffix is the applied suffix

prefix
string

Prefix is a prefix for the account name

CloudAccountProviderDetails

(Appears on: CloudAccountSpec)

CloudAccountProviderDetails provides parameters that are specific to a particular type of cloud account

FieldDescription
type
ProviderAccountType
gcpOrganization
GCPOrganizationParameters
(Optional)

GCPOrganization holds parameters specific to GCP organization accounts. Present only if type is GCPOrganization.

gcpProject
GCPProjectParameters
(Optional)

GCPProject holds parameters specific to GCP projects. Present only if type is GCPProject.

awsOrganization
AWSOrganizationParameters
(Optional)

AWSOrganization holds parameters specific to AWS organization accounts. Present only if type is AWSOrganization.

awsAccount
AWSAccountParameters
(Optional)

AWSAccount holds parameters specific to AWS accounts. Present only if type is AWSAccount.

azureTenant
AzureTenantParameters
(Optional)

AzureTenant holds parameters specific to Azure tenant accounts. Present only if type is AzureTenant.

azureSubscription
AzureSubscriptionParameters
(Optional)

AzureSubscription holds parameters specific to Azure subscriptions. Present only if type is AzureSubscription.

CloudAccountReference

(Appears on: AccessAssumptionPermissions, AccessAssumptionSpec, CloudAccountClaimSpec, CloudAccountClaimStatus, CloudAccountSpec, WorkloadIdentitySpec, ClusterSpec, ClusterStatus, CloudMetaCloud, CostImportSpec, DNSZoneSpec, NetworkFabricSpec, NetworkFabricStatus, PeeringRuleSpec, PeeringSpec)

FieldDescription
namespace
string
name
string

CloudAccountRole

(Appears on: CloudAccountSpec)

FieldDescription
role
string

Role is the Wayfinder cloud role that this account can be used for

assumeProviderRole
string

AssumeProviderRole contains a reference to the identifier that should be assumed by Wayfinder when using this account for this role, i.e. AWS ARN, GCP Service Account, Azure Role, etc.

CloudAccountRoleStatus

(Appears on: CloudAccountStatus)

CloudAccountRoleStatus is the status of a role on a cloud account

FieldDescription
status
RoleStatus
message
string

CloudAccountSpec

(Appears on: CloudAccount)

CloudAccountSpec defines the specification of an account known to wayfinder

FieldDescription
name
string

Name is the unique logical name for this cloud account

description
string

Description is an optional longer human-readable description of this cloud account to help users understand which cloud account to choose.

cloud
string

Cloud defines which cloud provider this account is for

identifier
string

Identifier is the unique identifier for this account with the cloud provider, i.e. AWS account ID, GCP project ID, Azure subscription, etc. Required unless the accountType is managed.

For accountType organization this should be the account ID/subscription ID/project ID to place shared org-wide resources such as DNS root zones, etc. For AWS this must be the same AWS Master Account ID used for OrgIdentifier.

To use the identifier for a CloudAccount, ALWAYS reference Status.Identifier, not this field, as this will be unpopulated and ignored on managed accounts.

orgIdentifier
string

OrgIdentifier, required only for accountType organization and must be populated with the identifier for the organization - for example, AWS Master Account ID, Azure Tenant ID, GCP Organization ID, etc.

Ignored if accountType is not organization.

accountType
string

AccountType identifies whether this is an organization account (which can be used by Wayfinder to create managed accounts), a shared account (used directly to build workspace infrastructure), or a managed acccount (created by Wayfinder’s account management features)

defaultRegion
string

DefaultRegion is an optional default region to use for API access in this account when no region is specified for the operation. This is used to determine, for example, which region to use to talk to global services such as Route53 in AWS. E.g. eu-west-2, europe-west2, uksouth

parentAccount
CloudAccountReference

ParentAccount is a reference to another CloudAccount (with account type ‘organization’) of this cloud account, for managed (required) and shared (optional) accounts.

providerDetails
CloudAccountProviderDetails

ProviderDetails provides additional fields which can be used for cloud-provider specific data, such as a GCP billing account ID.

stages
[]string

Stages lists the stages that this cloudaccount may be used for

namingRules
[]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountNamingRule

NamingRules describes for Organization type accounts how to name child accounts based on the plan chosen. Required for account factory functionality to operate for an Organization account.

identityCred
CloudCredentialReference

IdentityCred is a reference to the credential for Wayfinder to identify itself to this cloud provider when using this account.

To use workload identity, specify an empty namespace and name - this will only work if Workload Identity has been configured in the Wayfinder management cluster, this account is in the same cloud provider as the management cluster, and that workload identity is given access to this account)

features
[]string

Features lists the ways in which it is intended for this cloud account to be used. This will allow the relevant set of roles to be determined for this cloud account.

roles
[]CloudAccountRole

Roles defines the possible ways in which Wayfinder can use this account, along with details of how Wayfinder should identify itself (or provider-specific roles that need to be assumed) to use this account in the specified way. The set of roles required for a cloud account is defined by the enabled features.

userRoles
[]string

UserRoles are the roles which will be available for user access into this cloud account

allocation
ResourceAllocation

Allocation describes which workspaces can use this cloud account.

orgUserRoles
[]OrgUserRole

OrgUserRoles is the set of user roles to make available in child accounts of this org

Ignored if accountType is not organization.

CloudAccountStatus

(Appears on: CloudAccount)

CloudAccountStatus defines the status of a cloud account

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

identifier
string

Identifier is the assigned unique identifier for this account. For emanaged accounts this will be the identifier for the created account. For all other accounts, this will be the value provided in Spec.Identifier.

This field should ALWAYS be used if you need the correct identifier for a cloud account. Do not rely on Spec.Identifier which is unpopulated for managed accounts.

providerAccountRef
Ownership

ProviderAccountRef is a reference to the provider account for this cloud account where the type is managed.

providerStatus
ProviderStatus

ProviderStatus can be populated with provider-specific status information, particularly relevant on accounts of type managed.

features
map[string]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountFeatureStatus

Features describes the status of any features specified on this cloud account.

roles
map[string]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountRoleStatus

Roles provides the status of each underlying required role. The keys of the map are the role names.

userRoles
map[string]github.com/appvia/wayfinder/pkg/apis/cloudaccess/v1alpha1.CloudAccountUserRoleStatus

UserRoles provides the status of the user roles on this cloud account

orgIdentifier
string

OrgIdentifier is the identifier for an organisation owner of this account when known identifier for the organization - for example, AWS Master Account ID, Azure Tenant ID, GCP Organization ID, etc.

CloudAccountUserRoleStatus

(Appears on: AccessAssumptionPermission, CloudAccountStatus)

CloudAccountUserRoleStatus is the status of a specific user role on the cloud account

FieldDescription
userRole
string

UserRole is the role this status describes

assumeProviderRole
string

AssumeProviderRole may be populated for a specific cloud provider in order to describe how Wayfinder will orchestrate user access into this role

status
Status

Status provides an overall status.

message
string

Message is the description of the current status.

CloudCredentialReference

(Appears on: CloudAccountSpec, CostImportSpec)

CloudCredentialReference is a reference specifically to a cloud credential

FieldDescription
namespace
string

Namespace for the credential, specify empty for implicit credentials

name
string

Name for the credential, specify empty for implicit credentials

CloudCredentialSpec

(Appears on: CloudCredential)

CloudCredentialSpec defines the metadata about the credentials with a reference to the kubernetes secret containing the credentials

FieldDescription
name
string

Name is a human-understandable name for this credential

cloud
string

Cloud defines which cloud provider this credential is for

implicitIdentity
bool

ImplicitIdentity specifies that any credentials are provided by the run time process environment and NOT a secret reference. Typically this means that workload identity is to be used.

implicitIdentityID
string

ImplicitIdentityID specifies any ID that the run time process environment needs to authenticate to a specific identity where more than one can be assigned to a process

credentialsInputData
map[string]string

CredentialsInputData can be used to populate the secret when creating/updating a credential. This will never be populated when the credential is returned from the API.

If specified, this must include the correct set of keys for credentials for the cloud provider that CloudAccount references.

secretRef
Kubernetes core/v1.SecretReference

SecretRef is a reference to the Kubernetes secret containing the actual key data for this credential. If the secret does not exist but CredentialsInputData is populated, this secret will be created. This can also be a reference to an existing secret managed outside Wayfinder.

Where CredentialsInputData is specified but this is left blank, Wayfinder will assign this value.

credentialsUpdated
Kubernetes meta/v1.Time

CredentialsUpdated should be set to the current time when an underlying secret is updated. This will be automatically set to the current time if CredentialsInputData is set. If you manually change the secret outside Wayfinder, update this field to trigger re-verification of this credential.

CloudCredentialStatus

(Appears on: CloudCredential)

CloudCredentialStatus represents the status of a set of credentials for cloud account access

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

verified
bool

Verified checks that the credentials are ok and valid

identity
string

Identity is the unique reference to the cloud principle e.g. aws role, gcp service-account etc.

ClusterServiceAccount

(Appears on: WorkloadIdentitySpec)

ClusterServiceAccount represents the identity inside the cluster that will use the workload identity

FieldDescription
namespace
string
name
string

DenyReason (string)

(Appears on: AccessAssumptionPermission)

DenyReason describes why an access assumption is not permitted

ValueDescription

"NetworkConstraint"

DenyReasonNetworkConstraint indicates that the access would be permitted for the user when accessing from certain network locations, but their current network location is not permitted

"NoPolicy"

DenyReasonNoPolicy indicates that no policy is applicable for this role for the current user

"TimeConstraint"

DenyReasonTimeConstraint indicates that the access would be permitted during certain time periods but is not permitted at the current time

GCPOrganizationParameters

(Appears on: CloudAccountProviderDetails)

GCPOrganizationParameters provides the specific parameters for a GCP organisation account

FieldDescription
parentType
string

ParentType is the type of parent this project has Valid types are: “organization”, “folder”, and “project”

parentID
string

DEPRECATED: Use OrgIdentifier on Spec. This will be ignored if OrgIdentifier is populated on the Spec.

billingAccount
string

BillingAccountName is the resource name of the billing account associated with the project e.g. ‘012345-567890-ABCDEF’

GCPProjectParameters

(Appears on: CloudAccountProviderDetails)

GCPProjectParameters provides the specific parameters for a GCP project account

GCPWorkloadIdentityParameters

(Appears on: WorkloadIdentityProviderDetails)

GCPWorkloadIdentityParameters is the parameters for a GCP workload identity

OrgUserRole

(Appears on: CloudAccountSpec)

OrgUserRole describes a specific user role to orchestrate into child accounts of an org

FieldDescription
userRole
string

UserRole is the top-level role to provide in child accounts

enabled
bool

Enabled controls whether this role is enabled

allocation
ResourceAllocation

Allocation describes which workspaces can use this role. Will only be effective as a subset of the workspaces allowed to use the cloud account in spec.Allocation.

ProviderAccountType (string)

(Appears on: CloudAccountProviderDetails, ProviderStatus)

ProviderAccountType represents the concrete type of account that a CloudAccount represents

ValueDescription

"AWSAccount"

ProviderAccountTypeAWSAccount is an AWS account for running workloads

"AWSOrganization"

ProviderAccountTypeAWSOrg is a root organization account for AWS account management

"AzureTenant"

ProviderAccountTypeAzureOrg is a root organization tenant for Azure account management

"AzureSubscription"

ProviderAccountTypeAzureSubscription is an Azure subscription for running workloads

"GCPOrganization"

ProviderAccountTypeGCPOrg is a root organization account for GCP account management

"GCPProject"

ProviderAccountTypeGCPProject is a GCP project for running workloads

ProviderStatus

(Appears on: CloudAccountStatus)

ProviderStatus provides status fields specific to a cloud provider

FieldDescription
type
ProviderAccountType
awsAccount
AWSAccountStatus
(Optional)

AWSAccount holds status specific to AWS accounts.

RoleStatus (string)

(Appears on: CloudAccountRoleStatus)

RoleStatus is a possible status of a role on a cloud account

ValueDescription

"Invalid"

RoleInvalid indicates that a specified role is not usable, for example it cannot be accessed from the identity associated with this cloud account or does not exist

"Missing"

RoleMissing indicates that a required role for a specfied feature is not set on this cloudaccount

"Pending"

RolePending indicates that the role has not yet been checked

"RequiresProviderRole"

RoleRequiresProviderRole indicates that a specified role requires an AssumeProviderRole but none has been provided

"RequiresUpdate"

RoleRequiresUpdate indicates that the permissions required for the role are not correct in the cloud provider so this role needs to be updated

"Valid"

RoleValid indicates this cloud account role is ready to use

WorkloadIdentityProviderDetails

(Appears on: WorkloadIdentitySpec)

WorkloadIdentityProviderDetails provides parameters that are specific to a particular type of workload identity

FieldDescription
type
WorkloadIdentityType
aws
AWSWorkloadIdentityParameters
(Optional)

AWS holds parameters specific to AWS workload identities. Present only if type is AWS.

gcp
GCPWorkloadIdentityParameters
(Optional)

GCP holds parameters specific to GCP workload identity. Present only if type is GCP.

azure
AzureWorkloadIdentityParameters
(Optional)

Azure holds parameters specific to Azure workload identity. Present only if type is Azure.

WorkloadIdentityRole (string)

(Appears on: WorkloadIdentitySpec)

ValueDescription

"CertManager"

WorkloadIdentityRoleExternalDNS defines the required permissions for CertManager to function in a given cloud

"ClusterAutoscaler"

WorkloadIdentityRoleClusterAutoscaler defines the required permissions for the cluster autoscaler to function in a given cloud (only needed on AWS)

"ExternalDNS"

WorkloadIdentityRoleExternalDNS defines the required permissions for ExternalDNS to function in a given cloud

WorkloadIdentitySpec

(Appears on: WorkloadIdentity)

WorkloadIdentitySpec defines the specification of a workload identity which should be provisioned

FieldDescription
cloud
string

Cloud defines which cloud provider this workload identity is for

cloudAccount
CloudAccountReference

CloudAccount defines which cloud account to build this workload identity in

cluster
Ownership

Cluster is a reference to the cluster which this workload identity will be used in.

clusterServiceAccount
ClusterServiceAccount

ClusterServiceAccount is the name and namespace of the service account which will use this identity in the target cluster. Required on AWS and GCP, optional (and unused) on Azure at this time.

providerDetails
WorkloadIdentityProviderDetails

ProviderDetails provides additional fields which can be used for cloud-provider specific data needed to provision a workload identity

role
WorkloadIdentityRole

Role must be the name of a valid workload identity role known to Wayfinder

roleParameters
map[string]string

RoleParameters are any parameters required for the specified role

cloudResourceName
string

CloudResourceName specifies the name of the workload identity in the cloudaccount Can be left blank so that the name is derived from the cluster name + resource name

WorkloadIdentityStatus

(Appears on: WorkloadIdentity)

WorkloadIdentityStatus defines the status of a cloud account

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

identity
string

Identity contains a cloud-provider specific reference to the identity created for this resource, e.g. an AWS ARN or GCP service account email

WorkloadIdentityType (string)

(Appears on: WorkloadIdentityProviderDetails)

WorkloadIdentityType represents the concrete type of a workload identity to provide

ValueDescription

"AWS"

WorkloadIdentityTypeAWS is for AWS managed workload identity

"Azure"

WorkloadIdentityTypeAzure is for Azure managed workload identity

"GCP"

WorkloadIdentityTypeGCP is for GCP managed workload identity

compute.appvia.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the compute v1alpha1 API group

Resource Types:

Cluster

Cluster is the schema for cluster definitions in Wayfinder

FieldDescription
apiVersion
string
compute.appvia.io/v1alpha1
kind
string
Cluster
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ClusterSpec
cloudAccountRef
CloudAccountReference

CloudAccountRef is a reference to the cloud account this cluster should reside in

cloudResourceName
string

CloudResourceName specifies the name of the cluster in the cloudaccount Can be left blank so that the name is derived from the wayfinder workspace and resource name

description
string

Description provides a short summary to the use of the cluster

enableAutoUpgrade
bool

EnableAutoUpgrade indicates wayfinder should handle any upgrades for the clusters

enablePrivateCluster
bool

EnablePrivateCluster indicates the cluster should be made private

expires
Kubernetes meta/v1.Time

Expires provides a time for automatic expiration of the cluster

addons
Addons

Addons provide details on enabled feature sets of the cluster

maintenanceWindow
string

MaintenanceWindow is the time we can perform updates and upgrades

networking
Networking

Networking provides the details around the cluster networking options

nodePools
[]*github.com/appvia/wayfinder/pkg/apis/compute/v1alpha1.NodePool

NodePools is a collection of node pools associated to the cluster

provider
string

Provider refers to the cluster type (e.g. AKS, GKE, EKS)

plan
string

Plan refers to the original plan the cluster was created from

providerDetails
ClusterProviderDetails

ProviderDetails defines cloud specific cluster options

secretRef
Kubernetes core/v1.SecretReference

SecretRef is a reference to an existing secret containing an administrative access token for this cluster. Required only for clusters which are not created by Wayfinder.

stage
string

Stage is the name of the stage for this cluster

region
string

Region is the region you want the cluster to reside

version
string

Version is the kubernetes version to use, you can use ‘latest’ and allow the cloud provider choose the latest release, or using a specific cloud vendor version. Note, when enableAutoUpgrade is enabled you must specify the version as latest

status
ClusterStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

authProxyEndpoint
string

AuthProxyEndpoint is the endpoint of the authentication proxy for this cluster

authProxyCertificate
string

AuthProxyCertificate is the certificate of the auth proxy endpoint

caCertificate
string

CaCertificate is the base64 encoded cluster certificate

cloudAccount
CloudAccountReference

CloudAccountRef is a reference to the cloud account to use to retrieve credentials for this cluster. Will be populated if the spec specifies a CloudAccount (org or shared) as the credential object.

kubeApiEndpoint
string

KubeAPIEndpoint is the kubernetes API endpoint url

networkFabric
NetworkFabricStatus

Network contains the network configuration used by this cluster

providerData
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON

ProviderData is provider specific data

providerStatus
ProviderStatus

ProviderStatus is provider specific data with types

version
string

Version is the kubernetes version of the cluster

dnsZones
[]string

DNSZones is a list of Wayfinder-managed DNS zones which are currently available in this cluster with ExternalDNS. This will be populated if the DNSReady condition is true.

NamespaceClaim

NamespaceClaim is the Schema for the namespaceclaims API

FieldDescription
apiVersion
string
compute.appvia.io/v1alpha1
kind
string
NamespaceClaim
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
NamespaceClaimSpec
cluster
Ownership

Cluster is the cluster the namespace resides

name
string

Name is the name of the namespace to create

annotations
map[string]string

Annotations is a series of annotations on the namespace

labels
map[string]string

Labels is a series of labels for the namespace

status
NamespaceClaimStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

Status is the status of the namespace

Plan

Plan is the Schema for the plans API

FieldDescription
apiVersion
string
compute.appvia.io/v1alpha1
kind
string
Plan
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
PlanSpec
allocation
ResourceAllocation

Allocation defines one or more workspaces which are permitted to access this plan

labels
map[string]string

Labels is a collection of labels for this plan

summary
string

Summary provides a short title summary for the plan

template
ClusterSpec

Template are the key+value pairs describing a cluster configuration

policies
[]*github.com/appvia/wayfinder/pkg/apis/compute/v1alpha1.PlanPolicy

Policies are a collection of policies related to the use of the plan

status
PlanStatus
conditions
[]Condition

Conditions is a set of condition which has caused an error

status
Status

Status is overall status of the plan

AKSClusterStatus

(Appears on: ProviderStatus)

AKSClusterStatus is used to hold any thing related to the AKS clusters

FieldDescription
infraResourceGroupName
string

InfraResourceGroupName is the resource group that AKS manages

clusterPrincipalId
string

ClusterPrincipalID is the cluster principal in Azure This is required for assigning permission to the AKS cluster in Azure

AKSNodePoolSpec

(Appears on: NodePoolProviderDetails)

AKSNodePoolSpec represents a node pool within a AKS cluster

FieldDescription
mode
string

Mode is the type of the node pool. System node pools serve the primary purpose of hosting critical system pods such as CoreDNS and tunnelfront. User node pools serve the primary purpose of hosting your application pods.

AKSNodePoolSpotInstances

(Appears on: SpotInstancesOptions)

AKSNodePoolSpotInstances are the options for spot instances in Azure

FieldDescription
maxSpotPrice
string

MaxSpotPrice is the maximum price willing to pay for an spot instance billed in microdollars. The figure is optional and needless to say only relevant when the nodepool is made of spot instances

AKSSpec

(Appears on: ClusterProviderDetails)

AKSSpec defines the desired state of an AKS cluster

FieldDescription
linuxProfile
LinuxProfile

LinuxProfile is the configuration for Linux VMs

skuTier
string

SKUTier is the Uptime SLA that should be used for the AKS cluster. “Free” or “Paid”

windowsProfile
WindowsProfile

WindowsProfile is the configuration for Windows VMs

Addons

(Appears on: ClusterSpec)

Addons defines the struture for addons and features on a cluster

FieldDescription
cloudServices
CloudServicesAddon

CloudServices indicates we should enable cloud service via crossplane

ingress
IngressAddon

Ingress indicates we want the ingress service enabled

Authentication

Authentication provides options to the authentication module

FieldDescription
disableInline
bool

DisableInline indicates if we disable inline authorization

AuthorizedNetwork

AuthorizedNetwork provides a definition for the authorized networks

FieldDescription
name
string

Name provides a descriptive name for this network

cidr
string

CIDR is the network range associated to this network

AutoScalingOptions

(Appears on: NodePool)

AutoScalingOptions define the options per cloud provider for autoscaling

FieldDescription
enabled
bool

Enabled indicates the node pool to use autoscaling

minSize
int64

MinSize is minimum number of nodes if autoscaling is enabled

maxSize
int64

MaxSize is the maximum numer of nodes if autoscaling is enabled

CloudServicesAddon

(Appears on: Addons)

CloudServicesAddon defines the cloud service addons

FieldDescription
enabled
bool

Enabled indicates the addons is enabled

CloudWatchLogging

(Appears on: EKSSpec)

CloudWatchLogging defines the control plane logging options

FieldDescription
api
bool

API will enable logging for the Kubernetes API server

audit
bool

Audit will enable logging for the Kubernetes audit

authenticator
bool

Authenticator will enable logging for the Kubernetes authentication

controllerManager
bool

ControllerManager will enable logging for the Kubernetes controller manager

scheduler
bool

Scheduler will enable logging for the Kubernetes scheduler component

ClusterProviderDetails

(Appears on: ClusterSpec)

ClusterProviderDetails defines the parameters for cloud specific options - i.e options which cannot be consolidated as they are too specific to the chosen cloud vendor

FieldDescription
type
ProviderType
aks
AKSSpec

AKS defines the cloud specific options for AKS clusters

eks
EKSSpec

EKS defines a cloud specific options for EKS clusters

gke
GKESpec

GKE is the provider specification for their clusters

unmanaged
UnmanagedSpec

Unmanaged provides the specification for unmanagement cluster

ClusterSpec

(Appears on: Cluster, PlanSpec)

ClusterSpec defines the desired state of a cluster

FieldDescription
cloudAccountRef
CloudAccountReference

CloudAccountRef is a reference to the cloud account this cluster should reside in

cloudResourceName
string

CloudResourceName specifies the name of the cluster in the cloudaccount Can be left blank so that the name is derived from the wayfinder workspace and resource name

description
string

Description provides a short summary to the use of the cluster

enableAutoUpgrade
bool

EnableAutoUpgrade indicates wayfinder should handle any upgrades for the clusters

enablePrivateCluster
bool

EnablePrivateCluster indicates the cluster should be made private

expires
Kubernetes meta/v1.Time

Expires provides a time for automatic expiration of the cluster

addons
Addons

Addons provide details on enabled feature sets of the cluster

maintenanceWindow
string

MaintenanceWindow is the time we can perform updates and upgrades

networking
Networking

Networking provides the details around the cluster networking options

nodePools
[]*github.com/appvia/wayfinder/pkg/apis/compute/v1alpha1.NodePool

NodePools is a collection of node pools associated to the cluster

provider
string

Provider refers to the cluster type (e.g. AKS, GKE, EKS)

plan
string

Plan refers to the original plan the cluster was created from

providerDetails
ClusterProviderDetails

ProviderDetails defines cloud specific cluster options

secretRef
Kubernetes core/v1.SecretReference

SecretRef is a reference to an existing secret containing an administrative access token for this cluster. Required only for clusters which are not created by Wayfinder.

stage
string

Stage is the name of the stage for this cluster

region
string

Region is the region you want the cluster to reside

version
string

Version is the kubernetes version to use, you can use ‘latest’ and allow the cloud provider choose the latest release, or using a specific cloud vendor version. Note, when enableAutoUpgrade is enabled you must specify the version as latest

ClusterStatus

(Appears on: Cluster)

ClusterStatus defines the observed state of a cluster

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

authProxyEndpoint
string

AuthProxyEndpoint is the endpoint of the authentication proxy for this cluster

authProxyCertificate
string

AuthProxyCertificate is the certificate of the auth proxy endpoint

caCertificate
string

CaCertificate is the base64 encoded cluster certificate

cloudAccount
CloudAccountReference

CloudAccountRef is a reference to the cloud account to use to retrieve credentials for this cluster. Will be populated if the spec specifies a CloudAccount (org or shared) as the credential object.

kubeApiEndpoint
string

KubeAPIEndpoint is the kubernetes API endpoint url

networkFabric
NetworkFabricStatus

Network contains the network configuration used by this cluster

providerData
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1.JSON

ProviderData is provider specific data

providerStatus
ProviderStatus

ProviderStatus is provider specific data with types

version
string

Version is the kubernetes version of the cluster

dnsZones
[]string

DNSZones is a list of Wayfinder-managed DNS zones which are currently available in this cluster with ExternalDNS. This will be populated if the DNSReady condition is true.

EKSClusterStatus

(Appears on: ProviderStatus)

EKSClusterStatus is used to hold any thing related to the EKS clusters

FieldDescription
oidc
string

OIDC is the url for the OIDC endpoint

EKSNodePoolSpec

(Appears on: NodePoolProviderDetails)

EKSNodePoolSpec defines the desired state of EKSCluster

FieldDescription
eC2SSHKey
string

EC2SSHKey is the Amazon EC2 SSH key that provides access for SSH communication with the worker nodes in the managed node grouphttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

sshSourceSecurityGroups
[]string

SSHSourceSecurityGroups is the security groups that are allowed SSH access (port 22) to the worker nodes

EKSNodePoolSpotInstances

(Appears on: SpotInstancesOptions)

EKSNodePoolSpotInstances defined the options for EKS spot instances

FieldDescription
additionalInstanceTypes
[]string

AdditionalInstanceTypes provides an addotional list of instances to use when spot instances is enabled

EKSSpec

(Appears on: ClusterProviderDetails)

EKSSpec defines the desired state of EKSCluster

FieldDescription
cloudWatchLogging
CloudWatchLogging

CloudWatchLogging allows all control plane logging to be enabled

enableEndpointPrivate
bool

EnableEndpointPrivate indicates the EKS endpoint should be private and non-public facing

subnetIDs
[]string

SubnetIds is a list of subnet IDs

securityGroupIDs
[]string

SecurityGroupIds is a list of security group IDs

adminARNs
[]string

AdminARNs is the list of roles or users to be granted access to the EKS K8s API

GKENodePoolSpec

(Appears on: NodePoolProviderDetails)

GKENodePoolSpec defines a the cloud specific options for a GKE nodepool

FieldDescription
enableAutorepair
bool

EnableAutorepair indicates if the node pool should automatically repair failed nodes

enableAutoupgrade
bool

EnableAutoUpgrade indicates if the node group should be configured with auto-upgrading enabled. This must be true if the cluster has ReleaseChannel set.

GKESpec

(Appears on: ClusterProviderDetails)

GKESpec defines the additional options for a GKE cluster

FieldDescription
enableHorizontalPodAutoscaler
bool

EnableHorizontalPodAutoscaler indicates if the cluster is configured with the horizontal pod autoscaler addon. This automatically adjusts the cpu and memory resources of pods in accordance with their demand. You should ensure you use PodDisruptionBudgets if this is enabled.

enableHTTPLoadBalancer
bool

EnableHTTPLoadBalancer indicates if the cluster should be configured with the GKE ingress controller. When enabled GKE will autodiscover your ingress resources and provision load balancer on your behalf.

enableShieldedNodes
bool

EnableShieldedNodes indicates we should enable the shielded nodes options in GKE. This protects against a variety of attacks by hardening the underlying GKE node against rootkits and bootkits.

enableStackDriverLogging
bool

EnableStackDriverLogging indicates if Stackdriver logging should be enabled for the cluster

enableStackDriverMetrics
bool

EnableStackDriverMetrics indicates if Stackdriver metrics should be enabled for the cluster

masterIPV4Cidr
string

MasterIPV4Cidr is network range used when private networking is enabled. This is the peering subnet used to to GKE master api layer. Note, this must be unique within the network.

IngressAddon

(Appears on: Addons)

IngressAddon defines the ingress options

FieldDescription
enabled
bool

Enabled indicates the addons is enabled

LinuxProfile

(Appears on: AKSSpec)

LinuxProfile is the configuration for Linux VMs

FieldDescription
adminUsername
string

AdminUsername is the admin username for Linux VMs

sshPublicKeys
[]string

SSHPublicKeys is a list of public SSH keys to allow to connect to the Linux VMs

NamespaceClaimSpec

(Appears on: NamespaceClaim)

NamespaceClaimSpec defines the desired state of NamespaceClaim

FieldDescription
cluster
Ownership

Cluster is the cluster the namespace resides

name
string

Name is the name of the namespace to create

annotations
map[string]string

Annotations is a series of annotations on the namespace

labels
map[string]string

Labels is a series of labels for the namespace

NamespaceClaimStatus

(Appears on: NamespaceClaim)

NamespaceClaimStatus defines the observed state of NamespaceClaim

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

Status is the status of the namespace

NetworkRange

NetworkRange defines a network block

FieldDescription
type
string

Type defines the type of network

cidr
string

CIDR defines the network range

Networking

(Appears on: ClusterSpec)

Networking defines the structure for a

FieldDescription
authorizedNetworks
[]*github.com/appvia/wayfinder/pkg/apis/compute/v1alpha1.AuthorizedNetwork

AuthorizedNetworks is a collection of authorized networks which is permitted to speak to authentication proxy

authorizedMasterNetworks
[]*github.com/appvia/wayfinder/pkg/apis/compute/v1alpha1.AuthorizedNetwork

AuthorizedMasterNetworks is a collection of authorized networks which is permitted to speak to the cloud kubernetes API, default to all if not provided.

clusterIPV4Cidr
string

ClusterIPV4Cidr is an optional network CIDR which is used to place the node network on

networkProvider
string

NetworkProvider defines a network cni provider for the cluster

networkRef
Ownership

NetworkRef is reference to a network where the cluster should reside

servicesIPV4Cidr
string

ServicesIPV4Cidr is an optional network cidr configured for the cluster services. If set to ‘auto’ - cidr will be allocated for you

podsIPV4Cidr
string

PodsIPV4Cidr is an optional network cidr configured for the pods networks

NodePool

NodePool defines a node pool in kubernetes

FieldDescription
name
string

Name is the name of the nodepool

description
string

Description provides an optional description to the node pool

diskSize
int64

DiskSize is the amount of disk space to assign to the nodes in MBs

autoscaling
AutoScalingOptions

Autocaling indicates the node pool should autoscale

expires
Kubernetes meta/v1.Time

Expires provides a time for automatic expiration of the cluster

image
string

Image is the image we should use on the instances of this pool

labels
map[string]string

Labels is a collection of label placed on to the nodepool

maxPodsPerNode
int64

MaxPodsPerNode controls how many pods can be scheduled onto each node in this pool

machine
string

Machine is the instance type of the nodes in the poll

providerDetails
NodePoolProviderDetails

ProviderDetails provides any cloud specific options for this nodepool

size
int64

Size is initial size if autoscaling defined - or the effective size if no autoscaling is enabled

spot
SpotInstancesOptions

Spot if defines enables nodepool to use spot instances

taints
[]NodeTaint

Taints defines a collection scheduling taints placed on the nodepool

version
string

Version is the initial version of kubernetes on the node pool

zones
[]string

Zones defines a list of cloud specific availability zones where the nodes are permitted to run

NodePoolProviderDetails

(Appears on: NodePool)

NodePoolProviderDetails defines the parameters for cloud specific options - i.e options which cannot be consolidated as they are too specific to the chosen cloud vendor

FieldDescription
type
ProviderType
aks
AKSNodePoolSpec

AKS defines the cloud specific options for AKS clusters

eks
EKSNodePoolSpec

EKS defines a cloud specific options for EKS clusters

gke
GKENodePoolSpec

GKE is the provider specification for their clusters

unmanaged
UnmanagedNodePoolSpec

Unmanaged provides the specification for unmanaged cluster

NodeTaint

(Appears on: NodePool)

NodeTaint is the structure of a taint on a nodepoolhttps://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

FieldDescription
key
string

Key provides the key definition for this tainer

value
string

Value is arbitrary value for this taint to compare

effect
string

Effect is desired action on the taint

PlanPolicy

PlanPolicy defines an entry for the

FieldDescription
editable
bool

Editable indicates the entry can or cannot be changed

enum
[]string

Enum is a collection of possible values

max
int64

Max is a max to the value

min
int64

Min is a minimun to the value

path
string

Path is the a json path to the value

pattern
string

Pattern is used as regex constraint on the input

summary
string

Summary provides an optional decription to the field attribute

PlanSpec

(Appears on: Plan)

PlanSpec defines the desired state of Plan

FieldDescription
allocation
ResourceAllocation

Allocation defines one or more workspaces which are permitted to access this plan

labels
map[string]string

Labels is a collection of labels for this plan

summary
string

Summary provides a short title summary for the plan

template
ClusterSpec

Template are the key+value pairs describing a cluster configuration

policies
[]*github.com/appvia/wayfinder/pkg/apis/compute/v1alpha1.PlanPolicy

Policies are a collection of policies related to the use of the plan

PlanStatus

(Appears on: Plan)

PlanStatus defines the observed state of Plan

FieldDescription
conditions
[]Condition

Conditions is a set of condition which has caused an error

status
Status

Status is overall status of the plan

ProviderStatus

(Appears on: ClusterStatus)

ProviderStatus is a broken down status per provider for the cluster - i.e. outputs from the clusters which are specific to the clouds

FieldDescription
eks
EKSClusterStatus

EKS is the provider status for AWS

aks
AKSClusterStatus

AKS is the provider status for Azure

ProviderType (string)

(Appears on: ClusterProviderDetails, NodePoolProviderDetails)

ProviderType represents the concrete type of account that a CloudAccount represents

SpotInstancesOptions

(Appears on: NodePool)

SpotInstancesOptions defines the options for spot instances

FieldDescription
enabled
bool

Enabled indicates the node pool should use spots

aks
AKSNodePoolSpotInstances

AKS defines the options for AKS spot instances

eks
EKSNodePoolSpotInstances

EKS provides additional options for EKS

UnmanagedNodePoolSpec

(Appears on: NodePoolProviderDetails)

UnmanagedNodePoolSpec defines the spec for an unmanaged nodepool

UnmanagedSpec

(Appears on: ClusterProviderDetails)

UnmanagedSpec defines the spec for unmanaged cluster

WindowsProfile

(Appears on: AKSSpec)

WindowsProfile is the configuration for Windows VMs

FieldDescription
adminPassword
string

AdminPassword is the admin password for Windows VMs

adminUsername
string

AdminUsername is the admin username for Windows VMs

config.appvia.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the config v1alpha1 API group

Resource Types:

CloudMetaService

CloudMetaService represents an import of cloud metadata into Wayfinder

FieldDescription
apiVersion
string
config.appvia.io/v1alpha1
kind
string
CloudMetaService
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
CloudMetaServiceSpec
clouds
[]CloudMetaCloud

Clouds contains an array of clouds to pull metadata for

status
CloudMetaServiceStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

components
Components

Components is a set of underlying components if relevant

CostImport

CostImport represents an import of costs data into Wayfinder

FieldDescription
apiVersion
string
config.appvia.io/v1alpha1
kind
string
CostImport
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
CostImportSpec
cloud
string

Cloud defines which cloud this costs import is from

cloudAccount
CloudAccountReference

CloudAccount identifies which cloud account (organization or shared) should be used to pull costs data from. Must relate to the same cloud provider as specified in Cloud.

cloudCredential
CloudCredentialReference

CloudCredential specifies an optional custom credential to use for this integration, instead of using the default credentials for the CloudAccount.

frequencyMinutes
int

FrequencyMinutes describes how many minutes to leave between imports, e.g. 30 would import twice per hour. If greater than 60, should be a multiple of 60 (other values will be rounded to an integer number of hours, e.g. 90 will round to 120, 89 will round to 60).

daysHistory
int

DaysHistory determines how many days worth of historical data to consider each time this import is run

importZeroCostItems
bool

ImportZeroCostItems determines whether zero-costed line items in the cloud providers’ cost data is imported to wayfinder or not.

providerDetails
CostImportProviderDetails

ProviderDetails provides the cloud-specific configuration details

status
CostImportStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

history
[]CostImportRun

History contains the recent history of runs of this cost import

Plan

Plan is the Schema for the plans API

FieldDescription
apiVersion
string
config.appvia.io/v1alpha1
kind
string
Plan
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
PlanSpec
kind
string

Resource refers to the resource type this is a plan for

labels
map[string]string

Labels is a collection of labels for this plan

description
string

Description provides a summary of the configuration provided by this plan

summary
string

Summary provides a short title summary for the plan

configuration
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

Configuration are the key+value pairs describing a cluster configuration

status
PlanStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

Stage

Stage is the Schema for the stages API

FieldDescription
apiVersion
string
config.appvia.io/v1alpha1
kind
string
Stage
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
StageSpec
displayName
string

DisplayName provides a user-friendly name for the stage

description
string

Description provides a summary of this stage

status
StageStatus
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

AWSCostImportParameters

(Appears on: CostImportProviderDetails)

AWSCostImportParameters provides the specific parameters for AWS

FieldDescription
s3Region
string

S3Region is the region in which to store cost and usage data in S3. Will use the default region from the cloud account if this is unspecified.

costUsageBucket
string

CostUsageBucket is the name of an S3 bucket in which Wayfinder can find existing cost and usage reports to read. Leave blank to have Wayfinder self-configure with a new bucket as needed.

costUsageS3Prefix
string

CostUsageS3Prefix is the location within the CostUsageBucket where Wayfinder will find the cost reports. Will be ignored unless CostUsageBucket is specified.

costUsageReport
string

CostUsageReport is the name of the cost usage report to use.

AzureCostImportParameters

(Appears on: CostImportProviderDetails)

AzureCostImportParameters provides the specific parameters for Azure

FieldDescription
importType
AzureCostImportType

ImportType dictates what scope we’re going to import Azure costs for.

This must match the type of Cloud Account referenced by this costs import:

For BillingAccount the Cloud Account must be an Azure organization with AgreementType of EA or MCA and the BillingAccount populated.

For EAEnrollmentAccount the Cloud Account must be an Azure organization with AgreementType of EA and the EnrollmentAccount populated.

For MCAInvoiceSection the Cloud Account must be an Azure organization with AgreementType of MCA and the BillingAccount, BillingProfile and InvoiceSection populated.

AzureCostImportType (string)

(Appears on: AzureCostImportParameters)

AzureCostImportType is the scope level to import Azure costs for

ValueDescription

"BillingAccount"

AzureCostImportBillingAccount is to import costs for a full billing account

"EAEnrollmentAccount"

AzureCostImportEAEnrollmentAccount is to import costs for an Enterprise Agreement Enrollment Account

"MCAInvoiceSection"

AzureCostImportMCAInvoiceSection is to import costs for an MCA invoice section

"Subscription"

AzureCostImportSubscription is to import costs for a single subscription

CloudMetaCloud

(Appears on: CloudMetaServiceSpec)

FieldDescription
cloud
string

Cloud defines which cloud this will pull information for

cloudAccount
CloudAccountReference

CloudAccount defines the cloud account to use to pull metadata for this cloud

CloudMetaServiceSpec

(Appears on: CloudMetaService)

CloudMetaServiceSpec defines the specification of the cloud metadata import

FieldDescription
clouds
[]CloudMetaCloud

Clouds contains an array of clouds to pull metadata for

CloudMetaServiceStatus

(Appears on: CloudMetaService)

CloudMetaServiceStatus defines the status of this cloud meta import

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

components
Components

Components is a set of underlying components if relevant

CostImportProvider (string)

(Appears on: CostImportProviderDetails)

CostImportProvider is which cloud provider these provider details are for

ValueDescription

"AWS"

"Azure"

"GCP"

CostImportProviderDetails

(Appears on: CostImportSpec)

CostImportProviderDetails provides parameters that are specific to a particular cloud

FieldDescription
type
CostImportProvider

Type is which cloud provider these provider details are for

gcp
GCPCostImportParameters
(Optional)

GCP holds parameters specific to importing GCP costs data. Present only if type is GCP.

aws
AWSCostImportParameters
(Optional)

AWS holds parameters specific to importing AWS costs data. Present only if type is AWS.

azure
AzureCostImportParameters
(Optional)

Azure holds parameters specific to importing Azure costs data. Present only if type is Azure.

CostImportRun

(Appears on: CostImportStatus)

CostImportRun represents the result of an execution of a cost import

FieldDescription
status
Status

Status indicates whether this import completed successfully (Success), is running (Pending) or failed (Failure)

time
Kubernetes meta/v1.Time

Time indicates when this import was executed - may be nil if the import has been scheduled but not yet started

log
string

Log contains the log (in JSON) of this import

CostImportSpec

(Appears on: CostImport)

CostImportSpec defines the specification of the cost import

FieldDescription
cloud
string

Cloud defines which cloud this costs import is from

cloudAccount
CloudAccountReference

CloudAccount identifies which cloud account (organization or shared) should be used to pull costs data from. Must relate to the same cloud provider as specified in Cloud.

cloudCredential
CloudCredentialReference

CloudCredential specifies an optional custom credential to use for this integration, instead of using the default credentials for the CloudAccount.

frequencyMinutes
int

FrequencyMinutes describes how many minutes to leave between imports, e.g. 30 would import twice per hour. If greater than 60, should be a multiple of 60 (other values will be rounded to an integer number of hours, e.g. 90 will round to 120, 89 will round to 60).

daysHistory
int

DaysHistory determines how many days worth of historical data to consider each time this import is run

importZeroCostItems
bool

ImportZeroCostItems determines whether zero-costed line items in the cloud providers’ cost data is imported to wayfinder or not.

providerDetails
CostImportProviderDetails

ProviderDetails provides the cloud-specific configuration details

CostImportStatus

(Appears on: CostImport)

CostImportStatus defines the status of this costs integration

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

history
[]CostImportRun

History contains the recent history of runs of this cost import

GCPCostImportParameters

(Appears on: CostImportProviderDetails)

GCPCostImportParameters provides the specific parameters for GCP

FieldDescription
billingAccount
string

BillingAccountName is the billing account we’re importing costs for. If unspecified, Wayfinder will use the Billing Account specified on the cloud account (if it’s of type Organization).

If neither of these are specified, this configuration will not be valid.

Example: ‘012345-567890-ABCDEF’

datasetProject
string

DatasetProject is the GCP project in which to find/create the BigQuery dataset. If unspecified Wayfinder will use the project from the referenced cloud account.

datasetRegion
string

DatasetRegion is the GCP region (or regional area) in which the BigQuery dataset should be created / accessed. If unspecified, Wayfinder will use the default region from the referenced cloud account.

Examples: * EU (geo-dispersed across multiple EU GCP regions) * US (geo-dispersed across multiple US GCP regions) * europe-west2 (London)

datasetName
string

DatasetName is an optional custom name of the BigQuery dataset to query to retrieve costs data. If unspecified, Wayfinder will assume a dataset named wf-costs.

PlanSpec

(Appears on: Plan)

PlanSpec defines the desired state of Plan

FieldDescription
kind
string

Resource refers to the resource type this is a plan for

labels
map[string]string

Labels is a collection of labels for this plan

description
string

Description provides a summary of the configuration provided by this plan

summary
string

Summary provides a short title summary for the plan

configuration
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

Configuration are the key+value pairs describing a cluster configuration

PlanStatus

(Appears on: Plan)

PlanStatus defines the observed state of Plan

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

StageSpec

(Appears on: Stage)

StageSpec defines the desired state of Stage

FieldDescription
displayName
string

DisplayName provides a user-friendly name for the stage

description
string

Description provides a summary of this stage

StageStatus

(Appears on: Stage)

StageStatus defines the observed state of Stage

FieldDescription
CommonStatus
CommonStatus

(Members of CommonStatus are embedded into this type.)

core.appvia.io/v1alpha1

Package v1 contains the core api resources

Resource Types:

    ActionSelector

    ActionSelector is used to filter on the operation type

    FieldDescription
    verbs
    []string

    Allocatable

    Allocatable must be implemented by CRDs which are allocateable

    CommonStatus

    (Appears on: ExternalVPCStatus, SecurityGroupRuleStatus, CloudAccountClaimStatus, CloudAccountStatus, CloudCredentialStatus, WorkloadIdentityStatus, ClusterStatus, NamespaceClaimStatus, CloudMetaServiceStatus, CostImportStatus, PlanStatus, StageStatus, AssignableNetworkStatus, DNSZoneStatus, NetworkFabricStatus, PeeringRuleStatus, PeeringStatus, UserStatus, WorkspaceInvitationStatus, WorkspaceStatus, HelmReleaseStatus, HelmStatus, AssumePolicyStatus, PolicyPlanStatus, PolicyStatus)

    FieldDescription
    status
    Status

    Status is the overall status of the resource. This will shortly become required, hence no omit empty here.

    message
    string

    Message is a description of the current status

    detail
    string
    (Optional)

    Detail is any additional human-readable detail to understand the current status, for example, the full underlying error which caused an issue

    conditions
    Conditions

    Conditions represents the observations of the resource’s current state.

    lastReconcile
    LastReconcileStatus

    LastReconcile describes the generation and time of the last reconciliation

    lastSuccess
    LastReconcileStatus

    LastSuccess descibes the generation and time of the last reconciliation which resulted in a Success status

    cloudResourcesCreated
    bool

    CloudResourcesCreated indicates that at some point, this resource has successfully created one or more cloud resources. This is used when deleting to decide whether to fail or ignore if a related cloud account is inaccessible.

    obsoleteResources
    ObsoleteResourceList

    ObsoleteResources contains a list of resources that are marked for deletion

    CommonStatusAware

    CommonStatusAware is implemented by any Wayfinder resource which has the standard Wayfinder common status implementation

    Component

    Component the state of a component of the resource

    FieldDescription
    name
    string

    Name is the name of the component

    status
    Status

    Status is the status of the component

    message
    string

    Message is a human readable message on the status of the component

    detail
    string

    Detail is additional details on the error is any

    resource
    Ownership

    Resource is a reference to the resource

    Components ([]*github.com/appvia/wayfinder/pkg/apis/core/v1alpha1.Component)

    (Appears on: CloudMetaServiceStatus)

    Components is a collection child components for a resource

    Condition

    (Appears on: PlanStatus)

    Condition is the current observed condition of some aspect of a resource

    FieldDescription
    type
    ConditionType

    Type of condition in CamelCase or in foo.example.com/CamelCase.

    Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

    status
    Kubernetes meta/v1.ConditionStatus

    Status of the condition, one of True, False, Unknown.

    observedGeneration
    int64
    (Optional)

    ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

    lastTransitionTime
    Kubernetes meta/v1.Time

    LastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

    reason
    string

    Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

    message
    string
    (Optional)

    Message is a human readable message indicating details about the transition. This may be an empty string.

    name
    string

    Name is a human-readable name for this condition.

    detail
    string
    (Optional)

    Detail is any additional human-readable detail to understand this condition, for example, the full underlying error which caused an issue

    negativePolarity
    bool
    (Optional)

    NegativePolarity indicates this is a ‘normal-false’ condition - i.e. the ‘normal’/‘successful’ status for this condition is metav1.ConditionFalse. This will be the case for conditions such as ‘OutOfMemory’.

    If unset/false, positive polarity can be assumed - i.e. that metav1.ConditionTrue indicates the ‘normal’/‘successful’ status. This will be the case for conditions such as ‘Deployed’

    ConditionSpec

    ConditionSpec describes the shape of a condition which will be populated onto the status

    FieldDescription
    Type
    ConditionType

    The PascalCase condition type, e.g. ServiceAvailable or InsufficientCapacity. See ConditionType for the rules on condition types.

    Name
    string

    Name is a human-readable name for this condition, used for UI and CLI reporting / explanation If Name is empty, the Type will be used also as the Name.

    DefaultStatus
    Kubernetes meta/v1.ConditionStatus

    DefaultStatus is the default status - if unset, metav1.ConditionUnknown will be used.

    NegativePolarity
    bool

    NegativePolarity indicates this is a ‘normal-false’ condition - i.e. the ‘normal’/‘successful’ status for this condition is metav1.ConditionFalse. This will be the case for conditions such as ‘OutOfMemory’, ‘Degraded’.

    If unset/false, positive polarity will be assumed - i.e. that metav1.ConditionTrue indicates the ‘normal’/‘successful’ status. This will be the case for conditions such as ‘Deployed’ or ‘Available’.

    ConditionType (string)

    (Appears on: Condition, ConditionSpec)

    ConditionType defines a type of a condition in PascalCase or in foo.example.com/PascalCase

    Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

    ValueDescription

    "Ready"

    ConditionReady describes the overall status of the resource. All Wayfinder resources should set ConditionReady

    Conditions ([]github.com/appvia/wayfinder/pkg/apis/core/v1alpha1.Condition)

    (Appears on: CommonStatus)

    ConfigurationFromSource

    FieldDescription
    path
    string

    Path is the JSON path of the configuration parameter Examples: “field”, “map_field.value”, “array_field.0”, “array_field.0.value” To append a value to an existing array: “array_field.-1” To reference a numeric key on a map: “map_field.:123.value”

    secretKeyRef
    OptionalSecretKeySelector

    SecretKeyRef is a reference to a key in a secret

    LastReconcileStatus

    (Appears on: CommonStatus)

    FieldDescription
    time
    Kubernetes meta/v1.Time

    Time is the last time the resource was reconciled

    generation
    int64

    Generation is the generation reconciled on the last reconciliation

    Object

    Object is the standard interface implemented by Wayfinder CRDs

    ObsoleteResource

    ObsoleteResource is a resource that is marked for deletion

    FieldDescription
    kind
    obsoleteResourceKind

    Kind is the kind of the resource, eg. IAMRole

    name
    string

    Name is the name of the resource, eg. my-iam-role

    OptionalSecretKeySelector

    (Appears on: ConfigurationFromSource)

    FieldDescription
    SecretKeySelector
    SecretKeySelector

    (Members of SecretKeySelector are embedded into this type.)

    optional
    bool

    Optional controls whether the secret with the given key must exist

    Ownership

    (Appears on: ExternalVPCSpec, SecurityGroupRuleSpec, CloudAccountStatus, WorkloadIdentitySpec, NamespaceClaimSpec, Networking, Component, DNSZoneSpec, FirewallSpec, PeeringSpec, HelmReleaseSpec, ResourceValuesFrom, InputConstraint, RobotStatus, SecurityResourceOverview, SecurityScanResultSpec)

    Ownership indicates the ownership of a resource

    FieldDescription
    group
    string

    Group is the api group

    version
    string

    Version is the group version

    kind
    string

    Kind is the name of the resource under the group

    namespace
    string

    Namespace is the location of the object

    name
    string

    Name is name of the resource

    ResourceAllocation

    (Appears on: CloudAccountSpec, OrgUserRole, PlanSpec, DNSZoneSpec, PeeringRuleFilters)

    ResourceAllocation describes who is allowed to use a resource across workspace boundaries.

    FieldDescription
    type
    ResourceAllocationType

    Type controls which workspaces can use this resource . If ‘none’, this resource cannot be used by workspaces other than the one the resource exists in. ‘all’ allows it to be used by all workspaces, and ‘workspaces’ indicates it can be used by the workspaces listed in the workspaces property.

    workspaces
    WorkspaceKeys

    Workspaces indicates which workspaces can use this resource. Ignored unless type is set to ‘workspaces’.

    ResourceAllocationType (string)

    (Appears on: ResourceAllocation)

    ResourceAllocationType represents the possible types of resource allocation

    ValueDescription

    "all"

    ResourceAllocationAll indicates that the resource can be used by all workspaces

    "none"

    ResourceAllocationNone indicates that the resource can only be used by the workspace that owns it

    "workspaces"

    ResourceAllocationWorkspaces indicates that the resource can be used by a specified set of workspaces

    ResourceSelector

    (Appears on: Selector)

    ResourceSelector is a resource selector

    FieldDescription
    nonResourceURLs
    []string

    NonResourceURLs are urls which do not map to resources by require some level of policy control

    groups
    []string

    Groups is a collection of api grouprs to filter on

    resources
    []string

    Resources is a collection of resources under those groups

    subresources
    []string

    SubResources is a collection of subresource under the resource type Deprecated field please use resource/subresource format

    resourceNames
    []string

    ResourceNames is a collection of resource names

    labels
    map[string]string

    Labels a collection of labels to filter the resource by

    verbs
    []string

    Verbs are actions on the resources themselves

    SecretKeySelector

    (Appears on: OptionalSecretKeySelector)

    FieldDescription
    name
    string

    Name is the name of the secret

    namespace
    string

    Name is the namespace of the secret

    key
    string

    Key is they data key in the secret

    Status (string)

    (Appears on: CloudAccountUserRoleStatus, PlanStatus, CostImportRun, CommonStatus, Component, RobotStatus)

    Status is the status of a thing

    ValueDescription

    "ActionRequired"

    ActionRequiredStatus indicates that user action is required to remediate the current state of a resource, e.g. a spec value is wrong or some external action needs to be taken

    "Creating"

    CreatingStatus indicate we are creating a resource

    "DeleteError"

    DeleteErrorStatus indicates an error has occurred while attempting to delete the resource

    "DeleteFailed"

    DeleteFailedStatus indicates that deleting the entity failed

    "Deleted"

    DeletedStatus indicates a deleted entity

    "Deleting"

    DeletingStatus indicates we are deleting the resource

    ""

    EmptyStatus indicates an empty status

    "Error"

    ErrorStatus indicates that a recoverable error happened

    "Failure"

    FailureStatus indicates the resource has failed for one or more reasons

    "Pending"

    PendingStatus indicate we are waiting

    "Success"

    SuccessStatus is a successful resource

    "Unknown"

    Unknown is an unknown status

    "Updating"

    UpdatingStatus indicate we are creating a resource

    "Warning"

    WarningStatus indicates are warning

    SubjectSelector

    (Appears on: Selector)

    SubjectSelector is used to filter down in the caller

    FieldDescription
    subjects
    []string

    Subjects is a collection of subjects / username to filter on

    roles
    []string

    Roles is a collection of roles the user has access to

    groups
    []string

    Groups is a collection of groups the user is a member of

    scopes
    []string

    Scopes is a collection of scopes for the identity

    WorkspaceKey (string)

    (Appears on: WorkspaceCostSummary, AuditEventSpec, WorkspaceInvitationSpec, WorkspaceSpec, SecurityOverviewSpec)

    WorkspaceKey is the unique identifier for a workspace in Wayfinder. Use .Namespace() to convert to the right name for the workspace’s namespace in the management cluster.

    ValueDescription

    "admin"

    AdminWorkspace is the workspace where platform administrative resources live **IMPORTANT: IF THIS VALUE IS CHANGED, ENSURE THAT ui/lib/utils/workspaces.ts IS ALSO UPDATED

    WorkspaceKeys ([]github.com/appvia/wayfinder/pkg/apis/core/v1alpha1.WorkspaceKey)

    (Appears on: ResourceAllocation)

    WorkspaceKeys is a set of workspace keys

    costs.appvia.io/v1alpha1

    Package v1alpha1 contains API Schema definitions for the cost v1alpha1 API group

    Resource Types:

      Account

      Account represents an account

      FieldDescription
      workspaceIdentifier
      string

      WorkspaceIdentifier is the unique identifier for the workspace that owns this asset

      assetIdentifier
      string

      AssetIdentifier is the unique identifier for this asset

      name
      string

      Name is the name of the resource in wayfinder, for reference

      provider
      string

      Provider is the cloud provider who provides this resource

      account
      string

      Provider is the identifier for this account in the providers

      Asset

      Asset represents a resource known to Wayfinder which a cost provider should provide costs data for

      FieldDescription
      tags
      map[string]string

      Tags are a set of tags which can be used to identify this asset

      workspaceIdentifier
      string

      WorkspaceIdentifier is the unique identifier for the workspace that owns this asset

      assetIdentifier
      string

      AssetIdentifier is the unique identifier for this asset

      name
      string

      Name is the name of the resource in wayfinder, for reference

      provider
      string

      Provider is the cloud provider who provides this resource

      AssetCost

      AssetCost defines the details about a cost related to a piece of infrastructure deployed by Wayfinder for a workspace. It is expected that any asset may have multiple AssetCosts covering a specific time period to represent the different charges levied by the provider for that piece of infrastructure.

      FieldDescription
      costIdentifier
      string

      CostIdentifier is the unique identifer for this line of cost data - cost providers must ensure that if a cost line item is updated, it has the same identifier, and that different line items have unique cost identifiers for a given AssetIdentifier. If a cost provider provides immutable cost entries, i.e. they will never be updated, then this can be left blank and Wayfinder will assign a unique identifier.

      assetIdentifier
      string

      AssetIdentifier is the unique identifier assigned to the resource this cost applies to, e.g. the unique cluster ID, etc.

      workspaceIdentifier
      string

      WorkspaceIdentifier is the unique identifier for the workspace this resource belongs to.

      cost
      int64

      Cost is the actual incurred cost total cost for this piece of infrastructure for the specified time period in microdollars

      usageStartTime
      Kubernetes meta/v1.Time

      UsageStartTime indicates the start of the period this cost is applicable for

      usageEndTime
      Kubernetes meta/v1.Time

      UsageEndTime indicates the end of the period this cost is applicable for

      usageType
      string

      UsageType is the provider-specific code or title for this type of usage (e.g. a SKU or similar)

      description
      string

      Description identifies the type of cost this line item refers to

      usageAmount
      string

      UsageAmount is the quantity of the resource used (e.g. amount of storage)

      usageUnit
      string

      UsageUnit is the unit that UsageAmount is expressed in (e.g. seconds, gibibytes, etc)

      provider
      string

      Provider indicates which cloud provider this cost relates to

      account
      string

      Account indicates which account / project / subscription this cost relates to

      invoice
      string

      Invoice is the invoice on which this cost was billed (in the format YYYYMM, e.g. 202008 for August 2020)

      retrievedAt
      Kubernetes meta/v1.Time

      RetrievedAt is the time at which this cost item was retrieved/refreshed from the provider

      AssetCostSummary

      AssetCostSummary represents the total cost known to wayfinder for an asset (over a period of time)

      FieldDescription
      assetIdentifier
      string

      AssetIdentifier is the unique identifier assigned to the resource this cost applies to, e.g. the unique cluster ID, etc.

      workspaceIdentifier
      string

      WorkspaceIdentifier is the unique identifier for the workspaice this resource belongs to.

      assetName
      string

      AssetName is the name of the asset these costs relate to

      assetType
      string

      AssetType is the type of the asset these costs relate to

      provider
      string

      Provider is the cloud provider who provides this assset

      details
      []*github.com/appvia/wayfinder/pkg/apis/costs/v1alpha1.AssetCost

      Details provides the individual cost line items that make up this summary

      CostSummary
      CostSummary

      Continent

      Continent is a geographical grouping of regions

      FieldDescription
      name
      string
      regions
      []Region

      CostEstimate

      CostEstimate defines the result of the cost estimation

      FieldDescription
      minCost
      int64

      MinCost is the minimum hourly cost estimate in microdollars

      typicalCost
      int64

      TypicalCost is the expected / likely hourly cost estimate in microdollars

      maxCost
      int64

      MaxCost is the estimated upper limit of the hourly cost in microdollars

      costElements
      []CostEstimateElement

      CostElements provides details of the different components which make up this cost estimate

      preparedAt
      Kubernetes meta/v1.Time

      PreparedAt indicates the time this estimate was prepared

      CostEstimateElement

      (Appears on: CostEstimate)

      CostEstimateElement represents a logical component which has an associated cost

      FieldDescription
      name
      string

      Name is the name of this component

      minCost
      int64

      MinCost is the minimum hourly cost estimate of this component in microdollars

      typicalCost
      int64

      TypicalCost is the expected / likely hourly cost estimate of this component in microdollars

      maxCost
      int64

      MaxCost is the estimated upper limit of the hourly cost of this component in microdollars

      CostSummary

      (Appears on: AssetCostSummary, OverallCostSummary, WorkspaceCostSummary)

      CostSummary represents a total cost over a period of time

      FieldDescription
      cost
      int64

      Cost is the actual incurred cost total cost for the specified time period in microdollars

      usageStartTime
      Kubernetes meta/v1.Time

      StartTime indicates the start of the period this summary includes costs for

      usageEndTime
      Kubernetes meta/v1.Time

      EndTime indicates the end of the period this summary includes costs for

      InstanceType

      InstanceType is an available compute type from a cloud provider

      FieldDescription
      category
      string

      Category is the classification of this instance type

      name
      string

      Name is the unique identifier of this instance type

      prices
      map[github.com/appvia/wayfinder/pkg/apis/costs/v1alpha1.PriceType]int64

      Prices gives the price of this instance type in microdollars per hour for the given price type

      mCpus
      int64

      MCpus is the number of milliCPUs assigned to this instance type

      mem
      int64

      Mem is the amount of memory, expressed in milli-GiBs, assigned to this instance type

      OverallCostSummary

      OverallCostSummary represents the total costs known to wayfinder over a period of time, and acts as a container for WorkspaceCostSummaries

      PriceType (string)

      PriceType is the possible types of prices for cloud infrastructure

      ValueDescription

      "OnDemand"

      PriceTypeOnDemand is the normal ‘rack’ price for a piece of infrastructure

      "PreEmptible"

      PriceTypePreEmptible is the fixed discounted price which you can use a piece of infrastructure for subject to availability and early termination

      "Spot"

      PriceTypeSpot is the variable price which you may be able to use a piece of infrastructure for

      Region

      (Appears on: Continent)

      Region is a specific cloud provider region

      FieldDescription
      id
      string
      name
      string

      WorkspaceCostSummary

      WorkspaceCostSummary represents the total cost known to wayfinder for a workspace (over a period of time)

      FieldDescription
      workspaceIdentifier
      string

      WorkspaceIdentifier is the unique identifier for the workspace these costs belongs to.

      workspace
      WorkspaceKey

      Workspace is the key of the workspace that these costs belong to

      assetCosts
      []*github.com/appvia/wayfinder/pkg/apis/costs/v1alpha1.AssetCostSummary

      AssetCosts gives the detail of the assets which make up this workspace cost

      CostSummary
      CostSummary

      networking.appvia.io/v1alpha1

      Package v1alpha1 contains API Schema definitions for the compute v1alpha1 API group

      Resource Types:

      AssignableNetwork

      AssignableNetwork is the definition for an assignable network range

      FieldDescription
      apiVersion
      string
      networking.appvia.io/v1alpha1
      kind
      string
      AssignableNetwork
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      AssignableNetworkSpec
      provider
      string

      Providers the provider the range is assigned

      excludeWorkspaces
      []string

      ExcludeWorkspaces is a collection of workspaces whom are excluded from the requirement.

      includeWorkspaces
      []string

      IncludeWorkspaces is a collection of workspaces who are included as part of the rule - if specified the requirement is only applied to those workspaces - by default we assume this as a wildcard all workspaces

      networks
      []*github.com/appvia/wayfinder/pkg/apis/networking/v1alpha1.AssignableNetworkRange

      Networks is a collection of network assignment for a particular provider

      plans
      []string

      Plans is a optional list of plans to associate the range to

      status
      AssignableNetworkStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      DNSZone

      DNSZone represents a DNS zone in a specific cloud provider DNS implementation cloud account

      FieldDescription
      apiVersion
      string
      networking.appvia.io/v1alpha1
      kind
      string
      DNSZone
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      DNSZoneSpec
      provider
      string

      Provider defines which DNS provider to use to create this zone

      cloudAccountRef
      CloudAccountReference

      CloudAccountRef is a reference to the cloud account that should be used to create the DNS zone. This may not be required for all DNS providers.

      parentZone
      DNSZoneRef

      ParentZone should be set to make this zone a child of another zone managed by Wayfinder. Setting this allows Wayfinder to automatically manage the delegation of this zone.

      domain
      string

      Domain is the domain name that this zone will represent

      private
      bool

      Private indicates that this is a private DNS zone, if applicable for the provider

      network
      Ownership

      Network should be specified if private is true to indicate what network this private DNS zone should be provisioned with. Ignored if Private is false/unspecified.

      providerDetails
      DNSZoneProviderDetails

      ProviderDetails provides additional fields which can be used for DNS-provider specific data needed to provision this zone

      cloudResourceName
      string

      CloudResourceName specifies the name of the DNS zone in the DNS provider Can be left blank so that the name is derived from the resource name

      unmanaged
      bool

      Unmanaged should be set to true to indicate that this zone should not be built or deleted by Wayfinder, but should be verified to exist in the specified DNS provider and, thus, will be usable as a parent zone.

      Ensure CloudResourceName is also set if this provider requires a name (other than the domain) to find this unmanaged zone, e.g. GCP’s ‘Zone name’.

      availableToClusters
      DNSZoneClusterAvailability

      AvailableToClusters allows this zone, or automatically-created child zones of it, to be made available automatically in the targeted clusters, with ExternalDNS deployed and configured.

      Leave unspecified to not make this zone available in any clusters.

      For a GlobalDNSZone, this provide DNS in any workspace (subject to the label selectors you define and the allocation specified in the Allocation field).

      For a DNSZone, this will only provide DNS for clusters in the same workspace the zone is created in.

      manualChildZoneCreation
      bool

      ManualChildZoneCreation defines whether workspaces should be able to manually provision child DNS zones within a cluster

      Leave unspecified to prevent the manual creation in clusters.

      allocation
      ResourceAllocation

      Allocation defines which workspaces can create child zones from this DNS zone. Only applicable to GlobalDNSZones. This must be set for AutoProvisionChildZones to have any effect.

      status
      DNSZoneStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      nameservers
      []string

      Nameservers are the authoritative nameservers that are required to be set for this zone.

      delegated
      bool

      Delegated indicates this zone has been correctly delegated

      zoneID
      string

      ZoneID contains a DNS-provider specific reference to the zone created for this resource

      FirewallRules

      FieldDescription
      apiVersion
      string
      networking.appvia.io/v1alpha1
      kind
      string
      FirewallRules
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      FirewallSpec
      networkRef
      Ownership

      NetworkRef is a reference to the network associated with the firewall.

      rules
      []FirewallRule

      Rules is a list of firewall rules.

      status
      FirewallStatus

      GlobalDNSZone

      GlobalDNSZone represents a DNS zone in a specific cloud provider DNS implementation cloud account, available system-wide

      FieldDescription
      apiVersion
      string
      networking.appvia.io/v1alpha1
      kind
      string
      GlobalDNSZone
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      DNSZoneSpec
      provider
      string

      Provider defines which DNS provider to use to create this zone

      cloudAccountRef
      CloudAccountReference

      CloudAccountRef is a reference to the cloud account that should be used to create the DNS zone. This may not be required for all DNS providers.

      parentZone
      DNSZoneRef

      ParentZone should be set to make this zone a child of another zone managed by Wayfinder. Setting this allows Wayfinder to automatically manage the delegation of this zone.

      domain
      string

      Domain is the domain name that this zone will represent

      private
      bool

      Private indicates that this is a private DNS zone, if applicable for the provider

      network
      Ownership

      Network should be specified if private is true to indicate what network this private DNS zone should be provisioned with. Ignored if Private is false/unspecified.

      providerDetails
      DNSZoneProviderDetails

      ProviderDetails provides additional fields which can be used for DNS-provider specific data needed to provision this zone

      cloudResourceName
      string

      CloudResourceName specifies the name of the DNS zone in the DNS provider Can be left blank so that the name is derived from the resource name

      unmanaged
      bool

      Unmanaged should be set to true to indicate that this zone should not be built or deleted by Wayfinder, but should be verified to exist in the specified DNS provider and, thus, will be usable as a parent zone.

      Ensure CloudResourceName is also set if this provider requires a name (other than the domain) to find this unmanaged zone, e.g. GCP’s ‘Zone name’.

      availableToClusters
      DNSZoneClusterAvailability

      AvailableToClusters allows this zone, or automatically-created child zones of it, to be made available automatically in the targeted clusters, with ExternalDNS deployed and configured.

      Leave unspecified to not make this zone available in any clusters.

      For a GlobalDNSZone, this provide DNS in any workspace (subject to the label selectors you define and the allocation specified in the Allocation field).

      For a DNSZone, this will only provide DNS for clusters in the same workspace the zone is created in.

      manualChildZoneCreation
      bool

      ManualChildZoneCreation defines whether workspaces should be able to manually provision child DNS zones within a cluster

      Leave unspecified to prevent the manual creation in clusters.

      allocation
      ResourceAllocation

      Allocation defines which workspaces can create child zones from this DNS zone. Only applicable to GlobalDNSZones. This must be set for AutoProvisionChildZones to have any effect.

      status
      DNSZoneStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      nameservers
      []string

      Nameservers are the authoritative nameservers that are required to be set for this zone.

      delegated
      bool

      Delegated indicates this zone has been correctly delegated

      zoneID
      string

      ZoneID contains a DNS-provider specific reference to the zone created for this resource

      NetworkFabric

      NetworkFabric is the schema for NetworkFabric

      FieldDescription
      apiVersion
      string
      networking.appvia.io/v1alpha1
      kind
      string
      NetworkFabric
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      NetworkFabricSpec
      layout
      NetworkFabricLayout

      Layout refers to the layout of the network. It controls whether the various parts - subnets, routes, etc. - are set up manually (i.e. specified in the spec) or automatically (i.e. generated by the provider).

      cloudAccountRef
      CloudAccountReference

      CloudAccountRef is a reference to the cloud account that should be used to create the network.

      ipv4
      NetworkFabricIPv4

      IPv4 contains the IPv4 configuration associated with the network.

      location
      string

      Location is the region the network should be created in. [AWS] Region [GCP] Networks do not have an associated region, so this will be set to “global” [Azure] Region

      name
      string

      Name is used to identify the network object in the cloud provider [AWS] Names are not supported, so is a “Name” tag on the VPC [GCP] Name of the Network [Azure] Name of the Virtual Network (VNet)

      plan
      string

      Plan currently refers to a pre-defined “flavour” of network, which is not configurable by the caller. For example, when .Spec.Layout.Mode="auto"and this is set to “EKS”, a network suitable for use by EKS will be generated automatically, with minimal input from the caller.

      In future, when “plans” in their traditional sense are supported for NetworkFabrics, this will refer to the original plan that the network was created from.

      provider
      string

      Provider refers to the cloud provider.

      providerDetails
      ProviderDetails

      ProviderDetails defines cloud-specific network options

      private
      NetworkFabricPrivateOptions

      Private are options related to private networking

      routes
      []NetworkFabricRoute

      Routes is the list of routes within the network. Mode must be set to “manual” for this field to be valid.

      stage
      string

      Stage is the name of the stage for the network.

      subnets
      []NetworkFabricSubnet

      Subnets is the list of subnets within the network. Mode must be set to “manual” for this field to be valid.

      tags
      map[string]string

      Tags is a collection of tags to apply to the resources associated with the network, if applicable.

      status
      NetworkFabricStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      cloudAccount
      CloudAccountReference

      CloudAccountRef is a reference to the cloud account to use to retrieve credentials for this network. Will be populated if the spec specifies a CloudAccount as the credential object.

      aws
      NetworkFabricStatusAWS

      AWS contains the AWS-specific state for the network

      azure
      NetworkFabricStatusAzure

      Azure contains the Azure-specific state for the network

      gcp
      NetworkFabricStatusGCP

      GCP contains the GCP-specific state for the network

      Peering

      Peering is tracking resource which is used to create a connection between the source network and an external network

      FieldDescription
      apiVersion
      string
      networking.appvia.io/v1alpha1
      kind
      string
      Peering
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      PeeringSpec
      cloudAccount
      CloudAccountReference

      CloudAccount provides an optional reference to a cloudaccount which has the permission to carry out the tasks required to fulfil peering or gateway attachments

      connection
      PeeringRuleConnection

      Connection provides the policy details around how the peering should be achieved

      networkRef
      Ownership

      NetworkRef is the network which we are creating a connection from

      status
      PeeringStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      peeringID
      string

      PeeringID is the cloud agnostic peering identifier

      PeeringRule

      PeeringRule providing a policy definition for peering

      FieldDescription
      apiVersion
      string
      networking.appvia.io/v1alpha1
      kind
      string
      PeeringRule
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      PeeringRuleSpec
      cloudAccount
      CloudAccountReference

      CloudAccount provides an optional reference to a cloudaccount which has the permission to carry out the tasks required to fulfil peering or gateway attachments

      connection
      PeeringRuleConnection

      Connection provides the policy details around how the peering should be achieved

      filters
      PeeringRuleFilters

      Filters provides the ability to apply a collection of filters to whom the peering policy should apply to

      status
      PeeringRuleStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      connectionID
      string

      ConnectionID is the ID of the peering or gateway attachment which has been created

      AWSDNSZoneParameters

      (Appears on: DNSZoneProviderDetails)

      AWSDNSZoneParameters is the parameters for an AWS DNS zone

      AssignableNetworkRange

      AssignableNetworkRange defines a assignable network range

      FieldDescription
      defaultMask
      int

      DefaultMask is the default block to assign from the range

      min
      int

      Min is the smaller network mask a block can be assigned from - else we default the default mask

      max
      int

      Max is the maximum block size from the range

      range
      string

      Range is the CIDR range of the network

      type
      AssignableNetworkType

      Type is the network type being defined - i.e. pods, clusters, services or node

      AssignableNetworkSpec

      (Appears on: AssignableNetwork)

      AssignableNetworkSpec define the definitions for network ranges

      FieldDescription
      provider
      string

      Providers the provider the range is assigned

      excludeWorkspaces
      []string

      ExcludeWorkspaces is a collection of workspaces whom are excluded from the requirement.

      includeWorkspaces
      []string

      IncludeWorkspaces is a collection of workspaces who are included as part of the rule - if specified the requirement is only applied to those workspaces - by default we assume this as a wildcard all workspaces

      networks
      []*github.com/appvia/wayfinder/pkg/apis/networking/v1alpha1.AssignableNetworkRange

      Networks is a collection of network assignment for a particular provider

      plans
      []string

      Plans is a optional list of plans to associate the range to

      AssignableNetworkStatus

      (Appears on: AssignableNetwork)

      AssignableNetworkStatus defines the observed state of status on a policy

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      AssignableNetworkType (string)

      (Appears on: AssignableNetworkRange)

      AssignableNetworkType represents the network type of an assignable network

      ValueDescription

      "node"

      NodeNetwork defines node network - the range provided to the pools

      "pod"

      PodsNetwork defines the range for pods

      "service"

      ServicesNetwork defines the service / cluster range

      AzureDNSZoneParameters

      (Appears on: DNSZoneProviderDetails)

      AzureDNSZoneParameters is the parameters for an Azure DNS zone

      FieldDescription
      resourceGroup
      string

      ResourceGroup identifies an existing resource group in which to place this DNS zone. If this is unpopulated, a new resource group will be created for the zone.

      DNSZoneClusterAvailability

      (Appears on: DNSZoneSpec)

      FieldDescription
      mode
      DNSZoneClusterAvailabilityMode

      Mode defines how this zone will be made available in the targeted clusters. If ‘direct’, this zone will be directly available in the targeted clusters using External DNS. If ‘createChildZone’, child zones of this zone will be automatically created and made available in the targeted clusters, using the CustomNamingRule if specified.

      For ‘direct’ mode, the zone can only be made available in clusters of the relevant type for the provider of the DNS zone (e.g. AWS Route 53 zones can be made available directly in AWS EKS clusters). This restriction does not apply for ‘createChildZone’ mode.

      selectors
      Kubernetes meta/v1.LabelSelector

      Selectors define which clusters the zone should be available in

      customNamingRule
      string

      CustomNamingRule defines a non-default naming pattern for the child zone. You can use the following as placeholders in a custom rule:

      {workspace} The key of the workspace that owns the cluster {clustername} The metadata name of the cluster {stage} The stage the cluster is in

      If unspecified, the default {workspace}-{clustername} will be used.

      If you choose a custom naming rule, be careful to ensure that multiple clusters don’t create overlapping ingress names within in the same DNS zone.

      This is not valid for mode ‘direct’

      DNSZoneClusterAvailabilityMode (string)

      (Appears on: DNSZoneClusterAvailability)

      DNSZoneClusterAvailabilityMode are the ways a DNS zone can be made available to clusters

      ValueDescription

      "createChildZone"

      DNSZoneClusterAvailabilityModeCreateChildZone will auto-provision child zones of this zone dedicated to each targeted cluster

      "direct"

      DNSZoneClusterAvailabilityModeDirect will make the zone directly available in the targeted clusters

      DNSZoneProviderDetails

      (Appears on: DNSZoneSpec)

      DNSZoneProviderDetails provides parameters that are specific to a particular type of DNS zone

      FieldDescription
      type
      DNSZoneType
      aws
      AWSDNSZoneParameters
      (Optional)

      AWS holds parameters specific to an AWS DNS zone. Present only if type is AWS.

      gcp
      GCPDNSZoneParameters
      (Optional)

      GCP holds parameters specific to a GCP DNS zone. Present only if type is GCP.

      azure
      AzureDNSZoneParameters
      (Optional)

      Azure holds parameters specific to an Azure DNS zone. Present only if type is Azure.

      DNSZoneRef

      (Appears on: DNSZoneSpec)

      FieldDescription
      namespace
      string

      Namespace which contains the DNSZone, leave empty if this is a reference to a GlobalDNSZone

      name
      string

      Name of the DNSZone or GlobalDNSZone

      DNSZoneSpec

      (Appears on: DNSZone, GlobalDNSZone)

      DNSZoneSpec defines the specification of a DNS zone which should be provisioned

      FieldDescription
      provider
      string

      Provider defines which DNS provider to use to create this zone

      cloudAccountRef
      CloudAccountReference

      CloudAccountRef is a reference to the cloud account that should be used to create the DNS zone. This may not be required for all DNS providers.

      parentZone
      DNSZoneRef

      ParentZone should be set to make this zone a child of another zone managed by Wayfinder. Setting this allows Wayfinder to automatically manage the delegation of this zone.

      domain
      string

      Domain is the domain name that this zone will represent

      private
      bool

      Private indicates that this is a private DNS zone, if applicable for the provider

      network
      Ownership

      Network should be specified if private is true to indicate what network this private DNS zone should be provisioned with. Ignored if Private is false/unspecified.

      providerDetails
      DNSZoneProviderDetails

      ProviderDetails provides additional fields which can be used for DNS-provider specific data needed to provision this zone

      cloudResourceName
      string

      CloudResourceName specifies the name of the DNS zone in the DNS provider Can be left blank so that the name is derived from the resource name

      unmanaged
      bool

      Unmanaged should be set to true to indicate that this zone should not be built or deleted by Wayfinder, but should be verified to exist in the specified DNS provider and, thus, will be usable as a parent zone.

      Ensure CloudResourceName is also set if this provider requires a name (other than the domain) to find this unmanaged zone, e.g. GCP’s ‘Zone name’.

      availableToClusters
      DNSZoneClusterAvailability

      AvailableToClusters allows this zone, or automatically-created child zones of it, to be made available automatically in the targeted clusters, with ExternalDNS deployed and configured.

      Leave unspecified to not make this zone available in any clusters.

      For a GlobalDNSZone, this provide DNS in any workspace (subject to the label selectors you define and the allocation specified in the Allocation field).

      For a DNSZone, this will only provide DNS for clusters in the same workspace the zone is created in.

      manualChildZoneCreation
      bool

      ManualChildZoneCreation defines whether workspaces should be able to manually provision child DNS zones within a cluster

      Leave unspecified to prevent the manual creation in clusters.

      allocation
      ResourceAllocation

      Allocation defines which workspaces can create child zones from this DNS zone. Only applicable to GlobalDNSZones. This must be set for AutoProvisionChildZones to have any effect.

      DNSZoneStatus

      (Appears on: DNSZone, GlobalDNSZone)

      DNSZoneStatus defines the status of a cloud account

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      nameservers
      []string

      Nameservers are the authoritative nameservers that are required to be set for this zone.

      delegated
      bool

      Delegated indicates this zone has been correctly delegated

      zoneID
      string

      ZoneID contains a DNS-provider specific reference to the zone created for this resource

      DNSZoneType (string)

      (Appears on: DNSZoneProviderDetails)

      DNSZoneType represents the concrete type of a DNS Zone to provide

      ValueDescription

      "AWS"

      DNSZoneTypeAWS is for AWS Route 53 zone

      "Azure"

      DNSZoneTypeAzure is for Azure DNS zone

      "GCP"

      DNSZoneTypeGCP is for GCP Cloud DNS zone

      ExternalNetworkPeer

      (Appears on: PeeringRuleDirect)

      ExternalNetworkPeer defines the definition when attached to the network to an external network

      FieldDescription
      account
      string

      Account is a cloud agnostic name of the account, subscription or project where the network we are peering to exists

      location
      string

      Location is the region where the network exists. For AWS this might be eu-west-2, for GCP europe-west2 and so forth

      identifier
      string

      Identifier is the full resource identity of the virtual network which we are peering to. This AWS and GCP this would be the virtual network name. For Azure this would be the resource group plus the virtual network name.

      routes
      IPv4CIDRBlocks

      Routes is a collection of network ranges which we want to expose to the peered networks. The route tables of the source networks are automatically amended to push these subnets down the peered connection

      routeTableSelectors
      map[string]string

      RouteTableSelectors is required when enableAutoApproval is enabled. The field provides a collection of cloud tags which is used to filter on which routing tables in the external network need updating to include the source network routes. Note, this field is not required for GCP or Azure as the route propagation is performed automatically for you.

      FirewallRule

      (Appears on: FirewallSpec)

      FirewallRule represents the various options associated with a firewall rule. Depending on the cloud, a single FirewallRule might be expanded to multiple individual firewall rules.

      FieldDescription
      name
      string

      Name is the name of the firewall rule.

      description
      string

      Description is an optional description of the firewall rule.

      action
      string

      Action dictates whether to allow or deny matching traffic.

      cidrBlocks
      []IPv4CIDR

      CIDRBlocks is the list of IP address ranges that this rule applies to.

      direction
      string

      Direction dictates whether this rule applies to inbound or outbound traffic.

      ipVersion
      uint16

      IPVersion is the version of the Internet Protocol for the firewall rule.

      protocols
      []string

      Ports is a list of protocols that this firewall rule applies to.

      ports
      []Port

      Ports is a list of port numbers that this firewall rule applies to. If omitted, the rule applies to all ports.

      priority
      uint16

      Priority dictates the precedences of the firewall rule. Lower values indicate higher priorities.

      FirewallSpec

      (Appears on: FirewallRules)

      FirewallSpec defines the desired state of a firewall

      FieldDescription
      networkRef
      Ownership

      NetworkRef is a reference to the network associated with the firewall.

      rules
      []FirewallRule

      Rules is a list of firewall rules.

      FirewallStatus

      (Appears on: FirewallRules)

      FirewallStatus defines the observed state of a firewall

      GCPDNSZoneParameters

      (Appears on: DNSZoneProviderDetails)

      GCPDNSZoneParameters is the parameters for a GCP DNS zone

      GCPSecondarySubnetIPRanges

      (Appears on: ProviderDetailsSubnetIPv4GCP)

      GCPSecondarySubnetIPRanges represents the secondary subnet ranges for GCP when running in private cluster mode

      FieldDescription
      cidrBlock
      IPv4CIDR

      CIDRBlock is the IP address range for the subnet.

      type
      GCPSubnetDefaultSubnetName

      Type determines what type of secondary range ip address this is.

      GCPSubnetDefaultSubnetName (string)

      (Appears on: GCPSecondarySubnetIPRanges)

      GCPSubnetDefaultSubnetName represents the default subnets names for GKE private clusters

      ValueDescription

      "pods"

      GCPSubnetDefaultSubnetNamePods represents the default subnet name for GCP pods networks

      "services"

      GCPSubnetDefaultSubnetNameServices represents the default subnet name for GCP services networks

      GlobalOrScopedDNSZone

      GlobalOrScopedDNSZone provides a common interface for global or workspace-scoped DNS zones

      IPv4CIDR (string)

      (Appears on: FirewallRule, GCPSecondarySubnetIPRanges, NetworkFabricRoute, NetworkFabricSubnetIPv4)

      IPv4CIDR represents an IP range in the A.B.C.D/N format

      IPv4CIDRBlocks ([]github.com/appvia/wayfinder/pkg/apis/networking/v1alpha1.IPv4CIDR)

      (Appears on: ExternalNetworkPeer, NetworkFabricIPv4, PeeringRuleGateway)

      IPv4CIDRBlocks is a list of IPv4 addresses

      NetworkFabricGateway

      NetworkFabricGateway are cloud agnostic settings for nat gateway

      FieldDescription
      associate
      NetworkFabricGatewayAssociation

      Associate is the location of the gateway

      ipv4
      NetworkFabricGatewayIPV4

      IPv4 defines the ip allocation options of the gateway

      nat
      NetworkFabricGatewayNATOptions

      NAT provides cloud agnostic settings for the NAT gateway itself

      NetworkFabricGatewayAssociation

      (Appears on: NetworkFabricGateway)

      NetworkFabricGatewayAssociation is used to define where the gateway should reside

      FieldDescription
      subnet
      string

      Subnet is reference to the subnet the gateway should reside. Note the subnet must be defined in the subnets sections below. Note, GCP does not require this settings, CloudNAT is associated to a network

      location
      string

      Location defines the regional the gateway should reside in. This is only required for GCP where cloud gateways are regional rather than designated to an availability zone

      NetworkFabricGatewayIPV4

      (Appears on: NetworkFabricGateway)

      NetworkFabricGatewayIPV4 are the options related to ipv4 settings on a nat gateway

      FieldDescription
      mode
      NetworkFabricGatewayIPV4Mode

      Mode defines the mode of how to allocate external address or address pools to the NAT gateway

      addresses
      []string

      Addresses provides a collection of external addresses which should be associated to the nat gateway, assuming the mode is static. In AWS is the an EIP which has been allocated in the correct region and account. In GCP you can define mutiple external addresses which the CloudNAT will manage

      NetworkFabricGatewayIPV4Mode (string)

      (Appears on: NetworkFabricGatewayIPV4)

      NetworkFabricGatewayIPV4Mode defines the mode for ipv4 allocation on the gateway

      NetworkFabricGatewayNATOptions

      (Appears on: NetworkFabricGateway)

      NetworkFabricGatewayNATOptions provides the ability to configure cloud agnostic settings on the gateway

      FieldDescription
      subnets
      []string

      Subnet defines the subnets which should be associated and natted through the nat gateway. These must be defined in the subnets section within the network fabric spec.

      NetworkFabricIPv4

      (Appears on: NetworkFabricSpec)

      NetworkFabricIPv4 is a collection of network ipv4 ranges

      FieldDescription
      cidrBlocks
      IPv4CIDRBlocks

      CIDRBlocks is a list of CIDR blocks that should be associated with the network. [AWS] Multiple IP ranges. AWS only supports a single IP range is supported oncreation, but can be updated afterwards to specify additional IP ranges. [GCP] Unsupported. [Azure] Multiple IP ranges.

      NetworkFabricLayout

      (Appears on: NetworkFabricSpec)

      NetworkFabricLayout defines the options for wayfinder prescribed network topology

      FieldDescription
      mode
      NetworkFabricLayoutMode

      Mode dictates whether the layout of the network should be set up manually or automatically. If automatic, no other fields should be specified. If manual, fields should be specified manually by the caller.

      Currently, only “auto” is supported. In future, “manual” will be implemented as required.

      privateSubnets
      int

      PrivateSubnets is the number of private subnets that should be generated in the network. Mode must be set to “auto” for this field to be valid.

      publicSubnets
      int

      PublicSubnets is the number of public subnets that should be generated in the network. Mode must be set to “auto” for this field to be valid.

      NetworkFabricLayoutMode (string)

      (Appears on: NetworkFabricLayout)

      NetworkFabricLayoutMode represents the network fabric layout mode

      ValueDescription

      "auto"

      NetworkFabricLayoutModeAuto is for network fabric layout mode auto

      "manual"

      NetworkFabricLayoutModeManual is for network fabric layout mode manual

      NetworkFabricPrivateOptions

      (Appears on: NetworkFabricSpec)

      NetworkFabricPrivateOptions are options related to private networking

      FieldDescription
      enabled
      bool

      Enabled indicates we are expecting the predefined network layout to generate a private network.

      gateways
      []*github.com/appvia/wayfinder/pkg/apis/networking/v1alpha1.NetworkFabricGateway

      Gateways provides the options around cloud NAT gateways

      NetworkFabricProviderType (string)

      (Appears on: ProviderDetails)

      NetworkFabricProviderType represents the concrete type of a network fabric provider

      ValueDescription

      "aws"

      NetworkFabricProviderTypeAWS is for AWS network fabric provider

      "azure"

      NetworkFabricProviderTypeAzure is for Azure network fabric provider

      "gcp"

      NetworkFabricProviderTypeGCP is for GCP network fabric provider

      NetworkFabricRoute

      (Appears on: NetworkFabricSpec)

      NetworkFabricRoute is a cloud agnostic definition for a route

      FieldDescription
      name
      string

      Name is the name of the route.

      description
      string

      Description is an optional description of the route.

      cidrBlock
      IPv4CIDR

      CIDRBlock represents the range of destination IP addresses that this route applies to.

      target
      NetworkFabricRouteTarget

      Target is the destination that the traffic bound for IP addresses within CIDRBlock range will be sent to. This target may be a gateway, network interface, or connection through which to send the destination traffic; for example, an internet gateway.

      NetworkFabricRouteTarget

      (Appears on: NetworkFabricRoute)

      NetworkFabricRouteTarget contains the information necessary to determine the destination that network traffic should be sent to.

      TODO: Determine what goes here (IPv4 vs IPv6 routing, local, internet gateway, NAT gateway)

      NetworkFabricSpec

      (Appears on: NetworkFabric)

      NetworkFabricSpec defines the desired state of a network

      FieldDescription
      layout
      NetworkFabricLayout

      Layout refers to the layout of the network. It controls whether the various parts - subnets, routes, etc. - are set up manually (i.e. specified in the spec) or automatically (i.e. generated by the provider).

      cloudAccountRef
      CloudAccountReference

      CloudAccountRef is a reference to the cloud account that should be used to create the network.

      ipv4
      NetworkFabricIPv4

      IPv4 contains the IPv4 configuration associated with the network.

      location
      string

      Location is the region the network should be created in. [AWS] Region [GCP] Networks do not have an associated region, so this will be set to “global” [Azure] Region

      name
      string

      Name is used to identify the network object in the cloud provider [AWS] Names are not supported, so is a “Name” tag on the VPC [GCP] Name of the Network [Azure] Name of the Virtual Network (VNet)

      plan
      string

      Plan currently refers to a pre-defined “flavour” of network, which is not configurable by the caller. For example, when .Spec.Layout.Mode="auto"and this is set to “EKS”, a network suitable for use by EKS will be generated automatically, with minimal input from the caller.

      In future, when “plans” in their traditional sense are supported for NetworkFabrics, this will refer to the original plan that the network was created from.

      provider
      string

      Provider refers to the cloud provider.

      providerDetails
      ProviderDetails

      ProviderDetails defines cloud-specific network options

      private
      NetworkFabricPrivateOptions

      Private are options related to private networking

      routes
      []NetworkFabricRoute

      Routes is the list of routes within the network. Mode must be set to “manual” for this field to be valid.

      stage
      string

      Stage is the name of the stage for the network.

      subnets
      []NetworkFabricSubnet

      Subnets is the list of subnets within the network. Mode must be set to “manual” for this field to be valid.

      tags
      map[string]string

      Tags is a collection of tags to apply to the resources associated with the network, if applicable.

      NetworkFabricStatus

      (Appears on: NetworkFabric, ClusterStatus)

      NetworkFabricStatus defines the observed state of a network

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      cloudAccount
      CloudAccountReference

      CloudAccountRef is a reference to the cloud account to use to retrieve credentials for this network. Will be populated if the spec specifies a CloudAccount as the credential object.

      aws
      NetworkFabricStatusAWS

      AWS contains the AWS-specific state for the network

      azure
      NetworkFabricStatusAzure

      Azure contains the Azure-specific state for the network

      gcp
      NetworkFabricStatusGCP

      GCP contains the GCP-specific state for the network

      NetworkFabricStatusAWS

      (Appears on: NetworkFabricStatus)

      NetworkFabricStatusAWS contains the AWS-specific attributes of the status block.

      FieldDescription
      accountID
      string

      AccoundID is the aws account id

      availabilityZoneIDs
      []string

      AvailabilityZoneIDs is the list of AZ ids

      availabilityZoneNames
      []string

      AvailabilityZoneIDs is the list of AZ names

      privateIPV4Addresses
      []string

      PrivateIPV4Addresses provides the list of private subnet addresses

      privateSubnetIDs
      []string

      PrivateSubnetIDs is a list of subnet IDs to use for the worker nodes

      publicIPV4Addresses
      []string

      PublicIPV4Addresses provides the list of public subnet addresses

      ipv4EgressAddresses
      []string

      PublicIPV4EgressAddresses provides the source addresses for traffic coming from the cluster

      publicSubnetIDs
      []string

      PublicSubnetIDs is a list of subnet IDs to use for resources that need a public IP (e.g. load balancers)

      securityGroupIDs
      []string

      SecurityGroupIDs is a list of security group IDs to use for a cluster

      vpcID
      string

      VpcID is the identifier of the VPC

      NetworkFabricStatusAzure

      (Appears on: NetworkFabricStatus)

      NetworkFabricStatusAzure contains the Azure-specific attributes of the status block.

      FieldDescription
      virtualNetworkID
      string

      VirtualNetworkID is the identifier of the Virtual Network

      subnetIDs
      []string

      SubnetIDs are the list of subnet IDs in the Virtual Network

      NetworkFabricStatusGCP

      (Appears on: NetworkFabricStatus)

      NetworkFabricStatusGCP contains the GCP-specific attributes of the status block.

      FieldDescription
      name
      string

      Name is the name of the network in GCP

      networkRef
      string

      NetworkRef is the cloud provider reference

      gateways
      []NetworkFabricStatusGCPGateway

      Gateways provides a status on the gateways and any external addresses

      NetworkFabricStatusGCPGateway

      (Appears on: NetworkFabricStatusGCP)

      NetworkFabricStatusGCPGateway defines the status on the gateway

      FieldDescription
      name
      string

      Name is name of the gateway

      location
      string

      Location is location of where it resides

      addresses
      []string

      Addresses is the external ip or self links references associated to the gateway

      NetworkFabricSubnet

      (Appears on: NetworkFabricSpec)

      NetworkFabricSubnet defines the options for a virtual subnet

      FieldDescription
      name
      string

      Name is the name of the subnet.

      description
      string

      Description is an optional description of the subnet.

      location
      string

      Location is the zone or region associated with the subnet. [AWS] Zone [GCP] Region [Azure] Region (same as the Virtual Network)

      ipv4
      NetworkFabricSubnetIPv4

      IPv4 is the Internet Protocol (version 4) configuration for the subnet.

      NetworkFabricSubnetIPv4

      (Appears on: NetworkFabricSubnet)

      NetworkFabricSubnetIPv4 defines the options for the subnet range

      FieldDescription
      cidrBlock
      IPv4CIDR

      CIDRBlock is the IP address range for the subnet.

      ipVersion
      uint16

      IPVersion is the Internet Protocol version of the subnet.

      type
      NetworkFabricSubnetType

      Type determines whether VMs launched into this subnet should have public or private IP address. If nat is specified, this must be set to “private”.

      providerDetails
      ProviderDetailsSubnetIPv4

      ProviderDetails is is the cloud specific configuration for the subnet.

      NetworkFabricSubnetType (string)

      (Appears on: NetworkFabricSubnetIPv4)

      NetworkFabricSubnetType represents the network fabric subnet type

      ValueDescription

      "private"

      NetworkFabricSubnetTypePrivate is for network fabric subnet type private

      "public"

      NetworkFabricSubnetTypePublic is for network fabric subnet type public

      PeeringGatewayProviderDetails

      (Appears on: PeeringRuleGateway)

      PeeringGatewayProviderDetails provides a means configure cloud specific options around gateway attachments

      FieldDescription
      aws
      PeeringGatewayProviderDetailsAWS

      AWS defines the cloud specifics for gateway options

      PeeringGatewayProviderDetailsAWS

      (Appears on: PeeringGatewayProviderDetails)

      PeeringGatewayProviderDetailsAWS are cloud specific options for AWS

      FieldDescription
      enableDNS
      bool

      EnableDNS indicates we should enable or disable dns support via the gateway. Note this defaults to true unless defined.

      PeeringProviderDetails

      (Appears on: PeeringRuleDirect)

      PeeringProviderDetails provides a means configure cloud specific options around gateway attachments

      FieldDescription
      azure
      PeeringProviderDetailsAzure

      Azure defines the cloud specifics for gateway options

      PeeringProviderDetailsAzure

      (Appears on: PeeringProviderDetails)

      PeeringProviderDetailsAzure are cloud specific options for Azure

      FieldDescription
      enableUseRemoteGateway
      bool

      EnableUseRemoteGateway indicates if cluster peering should use remote gateway. If set to true, local gateway will not be deployed and remote one configured to be used

      PeeringRuleConnection

      (Appears on: PeeringRuleSpec, PeeringSpec)

      PeeringRuleConnection provides the definitions for the connection details related to peering

      FieldDescription
      type
      PeeringRuleConnectionType

      Type is the type of peering we are configuring

      gateway
      PeeringRuleGateway

      Geteway provides the configuration for working with gateways and peering connections via a network backbone such as Transit Gateway.

      peering
      PeeringRuleDirect

      Peering provides the configuration for direct peering between two networks. By default the peering assumes the management network, though this can be overridden if required

      PeeringRuleConnectionType (string)

      (Appears on: PeeringRuleConnection)

      PeeringRuleConnectionType represents the concrete type for configuration

      PeeringRuleDirect

      (Appears on: PeeringRuleConnection)

      PeeringRuleDirect defines the options around direct peering

      FieldDescription
      enableAutoApproval
      bool

      EnableAutoApproval indicates we should always accept the peering connection on the other end of the peer. This requires the user provides a cloud account which the correct permissions to do so.

      network
      ExternalNetworkPeer

      Network provides the ability to override the network which the peering is created on. By default this is the management cluster.

      subnets
      PeeringSubnetFilter

      Subnets provides a means to filter which on the subnets you want to push down the peering. By default we assume all the subnets attached to the virtual network should be routed down the peer

      providerDetails
      PeeringProviderDetails

      ProviderDetails provides the cloud specific options when performing a gateway attachment

      PeeringRuleFilters

      (Appears on: PeeringRuleSpec)

      PeeringRuleFilters is used to filter down whom the policy should apply

      FieldDescription
      allocation
      ResourceAllocation

      Allocation offers the ability to filter the peering policy down to a collection of workspaces only

      selectors
      Kubernetes meta/v1.LabelSelector

      Selectors offers the option to filter down which networks the peering policy is applied based on the labels on the network fabric resource.

      PeeringRuleGateway

      (Appears on: PeeringRuleConnection)

      PeeringRuleGateway defines the options for gateway attachments and peering.

      FieldDescription
      identifier
      string

      Identifier is the cloud specific identifier for the gateway - this could be a transit gateway id in AWS.

      enableAutoApproval
      bool

      EnableAutoApproval indicates we should always accept the peering connection on the other end of the peer. This requires the user provides a cloud account which the correct permissions to do so.

      location
      string

      Location is the cloud region which where the transit gateway resides

      routes
      IPv4CIDRBlocks

      Routes is a collection of cidr blocks which we need to push down the transit gateway.

      routeTableSelectors
      map[string]string

      RouteTableSelectors is required when enableAutoApproval is enabled. The field provides a collection of cloud tags which is used to filter on which routing tables in the external network need updating to include the source network routes.

      providerDetails
      PeeringGatewayProviderDetails

      ProviderDetails provides the cloud specific options when performing a gateway attachment

      PeeringRuleSpec

      (Appears on: PeeringRule)

      PeeringRuleSpec provides the definition for a peering rule. These are matched against one of more Network Fabric CRD and used to provision a Peer CRD which is used to connect up networks

      FieldDescription
      cloudAccount
      CloudAccountReference

      CloudAccount provides an optional reference to a cloudaccount which has the permission to carry out the tasks required to fulfil peering or gateway attachments

      connection
      PeeringRuleConnection

      Connection provides the policy details around how the peering should be achieved

      filters
      PeeringRuleFilters

      Filters provides the ability to apply a collection of filters to whom the peering policy should apply to

      PeeringRuleStatus

      (Appears on: PeeringRule)

      PeeringRuleStatus defines the observed state of a peering setup

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      connectionID
      string

      ConnectionID is the ID of the peering or gateway attachment which has been created

      PeeringSpec

      (Appears on: Peering)

      PeeringSpec defines the definition for the peering connection resource

      FieldDescription
      cloudAccount
      CloudAccountReference

      CloudAccount provides an optional reference to a cloudaccount which has the permission to carry out the tasks required to fulfil peering or gateway attachments

      connection
      PeeringRuleConnection

      Connection provides the policy details around how the peering should be achieved

      networkRef
      Ownership

      NetworkRef is the network which we are creating a connection from

      PeeringStatus

      (Appears on: Peering)

      PeeringStatus defines the observed state of a peering setup

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      peeringID
      string

      PeeringID is the cloud agnostic peering identifier

      PeeringSubnetFilter (map[string]string)

      (Appears on: PeeringRuleDirect)

      PeeringSubnetFilter provides a means to filter down which subnets in the virtual network we are about to attach should be pushed down the peer. One example would be to only push internal subnets.

      Port (uint16)

      (Appears on: FirewallRule)

      Port is a network port.

      ProviderDetails

      (Appears on: NetworkFabricSpec)

      ProviderDetails defines the parameters for cloud specific options - i.e options which cannot be consolidated as they are too specific to the chosen cloud vendor

      FieldDescription
      type
      NetworkFabricProviderType

      Type represents the cloud the NetworkFabric belongs to

      aws
      ProviderDetailsAWS

      AWS is the provider specification for AWS networks

      azure
      ProviderDetailsAzure

      Azure is the provider specification for Azure networks

      gcp
      ProviderDetailsGCP

      GCP is the provider specification for GCP networks

      ProviderDetailsAWS

      (Appears on: ProviderDetails)

      ProviderDetailsAWS defines the AWS-specific NetworkFabric configuration

      ProviderDetailsAzure

      (Appears on: ProviderDetails)

      ProviderDetailsAzure defines the Azure-specific NetworkFabric configuration

      FieldDescription
      resourceGroup
      string

      ResourceGroup is the Azure resource group

      ProviderDetailsGCP

      (Appears on: ProviderDetails)

      ProviderDetailsGCP defines the GCP-specific NetworkFabric configuration

      ProviderDetailsSubnetIPv4

      (Appears on: NetworkFabricSubnetIPv4)

      ProviderDetailsSubnetIPv4 provides cloud provider specifics for the subnet

      FieldDescription
      gcp
      ProviderDetailsSubnetIPv4GCP

      GCP is the provider specification for GCP subnets

      ProviderDetailsSubnetIPv4GCP

      (Appears on: ProviderDetailsSubnetIPv4)

      ProviderDetailsSubnetIPv4GCP provides secondary ranges for gcp

      FieldDescription
      secondaryIpRanges
      []GCPSecondarySubnetIPRanges

      SortDNSZonesByDomain ([]github.com/appvia/wayfinder/pkg/apis/networking/v1alpha1.DNSZone)

      SortDNSZonesByDomain is a list of DNS zones which can be sorted by the spec domain

      SortZonesByDomain ([]github.com/appvia/wayfinder/pkg/apis/networking/v1alpha1.GlobalOrScopedDNSZone)

      SortZonesByDomain is a list of global or scoped DNS zones which can be sorted by the spec domain

      org.appvia.io/v1alpha1

      Package v1alpha1 contains API Schema definitions for the org v1alpha1 API group

      Resource Types:

      AuditEvent

      AuditEvent is the Schema for the audit API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      AuditEvent
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      AuditEventSpec
      id
      int

      ID is the unique identifier of this audit event.

      createdAt
      Kubernetes meta/v1.Time

      CreatedAt is the timestamp of record creation

      resource
      string

      Resource is the area of the API accessed in this audit operation (e.g. workspaces, etc).

      resourceURI
      string

      ResourceURI is the identifier of the resource in question.

      apiVersion
      string

      APIVersion is the version of the API used for this operation.

      verb
      string

      Verb is the type of action performed (e.g. PUT, GET, etc)

      operation
      string

      Operation is the operation performed (e.g. UpdateCluster, CreateCluster, etc).

      workspace
      WorkspaceKey

      Workspace is the workspace whom event may be associated to

      user
      string

      User is the user which the event is related

      startedAt
      Kubernetes meta/v1.Time

      StartedAt is the timestamp the operation was initiated

      completedAt
      Kubernetes meta/v1.Time

      CompletedAt is the timestamp the operation completed

      responseCode
      int

      ResponseCode indicates the HTTP status code of the operation (e.g. 200, 404, etc).

      message
      string

      Message is event message itself

      Identity

      Identity is the Schema for the identities API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      Identity
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      IdentitySpec
      accountType
      string

      AccountType is the account type of the identity i.e. sso, basicauth etc

      basicAuth
      BasicAuth

      BasicAuth defines a basicauth identity

      idpUser
      IDPUser

      IDPUser links to the associated idp user

      user
      User

      User is the user spec the identity is associated

      User

      (Appears on: IdentitySpec)

      User is the Schema for the users API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      User
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      UserSpec
      disabled
      bool

      Disabled indicates if the user is disabled

      email
      string

      Email is the email for the user

      username
      string

      Username is the userame or identity for this user

      status
      UserStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      Workspace

      Workspace is the Schema for the workspace API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      Workspace
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      WorkspaceSpec
      key
      WorkspaceKey

      Key is the unique identifier for this workspace

      summary
      string

      Summary is a summary name for this workspace

      description
      string

      Description is a description for the workspace

      status
      WorkspaceStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      WorkspaceInvitation

      WorkspaceInvitation is the Schema for the workspace invitation API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      WorkspaceInvitation
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      WorkspaceInvitationSpec
      username
      string

      Username is the user being bound to the workspace

      workspace
      WorkspaceKey

      Workspace is the name of the workspace being invitied to

      status
      WorkspaceInvitationStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      WorkspaceMember

      WorkspaceMember is the Schema for members of the workspace API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      WorkspaceMember
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      WorkspaceMemberSpec
      username
      string

      Username is the user being bound to the workspace

      WorkspaceMemberRole

      WorkspaceMemberRole is the Schema for the workspace member roles API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      WorkspaceMemberRole
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      WorkspaceMemberRoleSpec
      user
      string

      User is the user in the workspace whom has the role

      role
      string

      Role is the role they have

      WorkspaceRole

      WorkspaceRole is the Schema for the workspace roles API

      FieldDescription
      apiVersion
      string
      org.appvia.io/v1alpha1
      kind
      string
      WorkspaceRole
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      WorkspaceRoleSpec
      description
      string

      Description is a description for the workspace role

      AssetType (string)

      AssetType defines the type of a workspace asset

      ValueDescription

      "CloudAccount"

      AssetTypeCloudAccount identifies a cloud account asset

      "CloudService"

      AssetTypeCloudService identifies a cloud service (e.g. S3 bucket, RDS instance) asset

      "Cluster"

      AssetTypeCluster identifies a cluster asset

      "Namespace"

      AssetTypeNamespace identifies a namespace asset

      "NodePool"

      AssetTypeNodePool identifies a node pool asset

      AuditEventSpec

      (Appears on: AuditEvent)

      AuditEventSpec defines the desired state of User

      FieldDescription
      id
      int

      ID is the unique identifier of this audit event.

      createdAt
      Kubernetes meta/v1.Time

      CreatedAt is the timestamp of record creation

      resource
      string

      Resource is the area of the API accessed in this audit operation (e.g. workspaces, etc).

      resourceURI
      string

      ResourceURI is the identifier of the resource in question.

      apiVersion
      string

      APIVersion is the version of the API used for this operation.

      verb
      string

      Verb is the type of action performed (e.g. PUT, GET, etc)

      operation
      string

      Operation is the operation performed (e.g. UpdateCluster, CreateCluster, etc).

      workspace
      WorkspaceKey

      Workspace is the workspace whom event may be associated to

      user
      string

      User is the user which the event is related

      startedAt
      Kubernetes meta/v1.Time

      StartedAt is the timestamp the operation was initiated

      completedAt
      Kubernetes meta/v1.Time

      CompletedAt is the timestamp the operation completed

      responseCode
      int

      ResponseCode indicates the HTTP status code of the operation (e.g. 200, 404, etc).

      message
      string

      Message is event message itself

      BasicAuth

      (Appears on: IdentitySpec)

      BasicAuth defines the basicauth identity

      FieldDescription
      password
      string

      Password is a password associated to the user

      IDPUser

      (Appears on: IdentitySpec)

      IDPUser is associated idp user

      FieldDescription
      email
      string

      Email for the associated user

      uuid
      string

      UUID is a unique id for the user in the external idp

      IdentitySpec

      (Appears on: Identity)

      IdentitySpec defines the desired state of User

      FieldDescription
      accountType
      string

      AccountType is the account type of the identity i.e. sso, basicauth etc

      basicAuth
      BasicAuth

      BasicAuth defines a basicauth identity

      idpUser
      IDPUser

      IDPUser links to the associated idp user

      user
      User

      User is the user spec the identity is associated

      UpdateBasicAuthIdentity

      UpdateBasicAuthIdentity defines the desired state of an update

      FieldDescription
      password
      string

      Password is a password associated to the user

      username
      string

      Username is the user you are update the credential for

      UpdateIDPIdentity

      UpdateIDPIdentity defines the desired state of an update

      FieldDescription
      IDToken
      string

      IDToken is the identity token from the provider

      UserSpec

      (Appears on: User)

      UserSpec defines the desired state of User

      FieldDescription
      disabled
      bool

      Disabled indicates if the user is disabled

      email
      string

      Email is the email for the user

      username
      string

      Username is the userame or identity for this user

      UserStatus

      (Appears on: User)

      UserStatus defines the observed state of User

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      WorkspaceInvitationSpec

      (Appears on: WorkspaceInvitation)

      WorkspaceInvitationSpec defines the desired state of a workspace invitation

      FieldDescription
      username
      string

      Username is the user being bound to the workspace

      workspace
      WorkspaceKey

      Workspace is the name of the workspace being invitied to

      WorkspaceInvitationStatus

      (Appears on: WorkspaceInvitation)

      WorkspaceInvitationStatus defines the observed state of a workspace invite

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      WorkspaceMemberRoleSpec

      (Appears on: WorkspaceMemberRole)

      WorkspaceMemberRoleSpec defines the desired state of WorkspaceMemberRole

      FieldDescription
      user
      string

      User is the user in the workspace whom has the role

      role
      string

      Role is the role they have

      WorkspaceMemberSpec

      (Appears on: WorkspaceMember)

      WorkspaceMemberSpec defines the desired state of workspace member

      FieldDescription
      username
      string

      Username is the user being bound to the workspace

      WorkspaceRoleSpec

      (Appears on: WorkspaceRole)

      WorkspaceRoleSpec defines the desired state of WorkspaceRole

      FieldDescription
      description
      string

      Description is a description for the workspace role

      WorkspaceSpec

      (Appears on: Workspace)

      WorkspaceSpec defines the desired state of workspace

      FieldDescription
      key
      WorkspaceKey

      Key is the unique identifier for this workspace

      summary
      string

      Summary is a summary name for this workspace

      description
      string

      Description is a description for the workspace

      WorkspaceStatus

      (Appears on: Workspace)

      WorkspaceStatus defines the observed state of workspace

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      package.appvia.io/v1alpha1

      Package v1alpha1 contains API Schema definitions for the helm packages api

      Resource Types:

      GlobalHelm

      GlobalHelm is a package definition

      FieldDescription
      apiVersion
      string
      package.appvia.io/v1alpha1
      kind
      string
      GlobalHelm
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      HelmSpec
      dependencies
      []string

      Dependencies provides a list of dependent services which have to deployed before this package can be installed

      installNamespace
      string

      InstallNamespace is the location to install the package

      source
      ChartSource

      Source is used to define the source location of the chart and the revision which used to used to install

      selectors
      Kubernetes meta/v1.LabelSelector

      Selectors are the label matching selectors for where the package should be installed

      summary
      string

      Summary provides short description as to use of the package

      values
      k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

      Values is a collection of values to injected into the chart when rendering the package into the clusters

      valuesFrom
      []HelmValuesFrom

      ValuesFrom is a optional collection of resources which are injected into the helm values before render

      status
      HelmStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      Helm

      Helm is a package definition

      FieldDescription
      apiVersion
      string
      package.appvia.io/v1alpha1
      kind
      string
      Helm
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      HelmSpec
      dependencies
      []string

      Dependencies provides a list of dependent services which have to deployed before this package can be installed

      installNamespace
      string

      InstallNamespace is the location to install the package

      source
      ChartSource

      Source is used to define the source location of the chart and the revision which used to used to install

      selectors
      Kubernetes meta/v1.LabelSelector

      Selectors are the label matching selectors for where the package should be installed

      summary
      string

      Summary provides short description as to use of the package

      values
      k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

      Values is a collection of values to injected into the chart when rendering the package into the clusters

      valuesFrom
      []HelmValuesFrom

      ValuesFrom is a optional collection of resources which are injected into the helm values before render

      status
      HelmStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      HelmRelease

      HelmRelease is a package definition

      FieldDescription
      apiVersion
      string
      package.appvia.io/v1alpha1
      kind
      string
      HelmRelease
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      HelmReleaseSpec
      revision
      string

      Revision is revision of the package in which is associated to the release

      clusterRef
      Ownership

      ClusterRef provides reference to the cluster this release is associated and intended to be installed on

      globalRef
      string

      GlobalRef is the name of the cloud package which is associated to the release

      packageRef
      string

      PackageRef is the name of the package within the workspace namespace that is associated to this release

      package
      HelmSpec

      Package contains all the package details which has been copied over from the package definition - this creates a local copy of the package as is used to reconcile the release

      status
      HelmReleaseStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      ChartSource

      (Appears on: HelmSpec)

      ChartSource defines the location of the helm package

      FieldDescription
      git
      GitSource

      Git can be used to define the location of the helm chart in a git repository

      helm
      HelmSource

      Helm can be used to define a helm index as the source location of the chart to be installed

      ClusterValuesFrom

      (Appears on: HelmValuesFrom)

      ClusterValuesFrom is used to reference a values from an associated cluster

      FieldDescription
      HelmValue
      HelmValue

      (Members of HelmValue are embedded into this type.)

      DomainValuesFrom

      (Appears on: HelmValuesFrom)

      DomainValuesFrom is used to reference the default domain attached to the cluster

      FieldDescription
      HelmValue
      HelmValue

      (Members of HelmValue are embedded into this type.)

      hostname
      string

      Hostname is used to append a hostname prefix to the associated cluster domain. This allows you to build FQDNs quickly

      matchLabels
      Kubernetes meta/v1.LabelSelector

      MatchLabels is used to find one or more specific domain resources for inject - be careful unless intended not to match multiple as we will inject the zone names as an array

      GitSource

      (Appears on: ChartSource)

      GitSource defines the location of a chart in a git repository

      FieldDescription
      gitPullSecrets
      Kubernetes core/v1.SecretReference

      GitPullSecrets is a reference to any credentials used to pull the repository

      url
      string

      URL is the location of the git repository

      HelmReleaseSpec

      (Appears on: HelmRelease)

      HelmReleaseSpec defines the the desired status for an helm package

      FieldDescription
      revision
      string

      Revision is revision of the package in which is associated to the release

      clusterRef
      Ownership

      ClusterRef provides reference to the cluster this release is associated and intended to be installed on

      globalRef
      string

      GlobalRef is the name of the cloud package which is associated to the release

      packageRef
      string

      PackageRef is the name of the package within the workspace namespace that is associated to this release

      package
      HelmSpec

      Package contains all the package details which has been copied over from the package definition - this creates a local copy of the package as is used to reconcile the release

      HelmReleaseStatus

      (Appears on: HelmRelease)

      HelmReleaseStatus defines the observed state of the package

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      HelmSource

      (Appears on: ChartSource)

      HelmSource is used to the define the location of a chart in a helm repository

      FieldDescription
      name
      string

      Name is the name of the chart we wish to install

      url
      string

      URL is the url to the helm repository where the chart lives

      version
      string

      Version is the version of the chart that should be installed

      HelmSpec

      (Appears on: GlobalHelm, Helm, HelmReleaseSpec)

      HelmSpec defines a helm package

      FieldDescription
      dependencies
      []string

      Dependencies provides a list of dependent services which have to deployed before this package can be installed

      installNamespace
      string

      InstallNamespace is the location to install the package

      source
      ChartSource

      Source is used to define the source location of the chart and the revision which used to used to install

      selectors
      Kubernetes meta/v1.LabelSelector

      Selectors are the label matching selectors for where the package should be installed

      summary
      string

      Summary provides short description as to use of the package

      values
      k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

      Values is a collection of values to injected into the chart when rendering the package into the clusters

      valuesFrom
      []HelmValuesFrom

      ValuesFrom is a optional collection of resources which are injected into the helm values before render

      HelmStatus

      (Appears on: GlobalHelm, Helm)

      HelmStatus defines the observed state of the package

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      HelmValue

      (Appears on: ClusterValuesFrom, DomainValuesFrom, ResourceValuesFrom, SecretValuesFrom)

      HelmValue are the default value parameters

      FieldDescription
      path
      string

      Path is the path into the helm values

      key
      string

      Key is a path into the resource data

      HelmValuesFrom

      (Appears on: HelmSpec)

      HelmValuesFrom defines an means to extract a value out of a resource and into the values for the a helm chart

      FieldDescription
      cluster
      ClusterValuesFrom

      Cluster is used to extract a piece of data out of the associated cluster resources and inject into the path defined

      domain
      DomainValuesFrom

      Domain is used to extract the default domain associated to the cluster and used to extract the zone name from the resource

      resource
      ResourceValuesFrom

      Resource is used to filter on and extract the details from one of more managed resources in Wayfinder.

      secret
      SecretValuesFrom

      Secret is used to reference a secret in wayfinder

      ResourceValuesFrom

      (Appears on: HelmValuesFrom)

      ResourceValuesFrom is used to define a reference to a resource

      FieldDescription
      Ownership
      Ownership

      (Members of Ownership are embedded into this type.)

      HelmValue
      HelmValue

      (Members of HelmValue are embedded into this type.)

      SecretValuesFrom

      (Appears on: HelmValuesFrom)

      SecretValuesFrom is used to define a reference to a secret

      FieldDescription
      SecretReference
      Kubernetes core/v1.SecretReference

      (Members of SecretReference are embedded into this type.)

      HelmValue
      HelmValue

      (Members of HelmValue are embedded into this type.)

      policy.appvia.io/v1alpha1

      Package v1alpha1 contains API Schema definitions for the org v1alpha1 API group

      Resource Types:

      AssumePolicy

      AssumePolicy is the Schema for the policies API

      FieldDescription
      apiVersion
      string
      policy.appvia.io/v1alpha1
      kind
      string
      AssumePolicy
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      AssumePolicySpec
      summary
      string

      Summary is a optional summary the describes the policy

      roles
      []string

      Roles is the permitted roles your are able to assume from this policy

      constraints
      Constraints

      Constraints is a collection of constraints which control access the roles

      status
      AssumePolicyStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      Policy

      (Appears on: AssumptionResponseSpec)

      Policy is the Schema for the policies API

      FieldDescription
      apiVersion
      string
      policy.appvia.io/v1alpha1
      kind
      string
      Policy
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      PolicySpec
      inputs
      k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

      Inputs are parameters to the plan templates

      hints
      []Kubernetes meta/v1.GroupVersionResource

      Hints provides a list collection of resources which might be required in the rules engine

      policy
      PolicyDecision

      Policy defines the policy definition itself

      policyRef
      PolicyReference

      PolicyRef is used to refer to an inbuild wayfinder policy rather than defining a inline policy - we find the plan and copy onto the status for reference and implementation

      selectors
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.Selector

      Selectors is the resource we are filtering on

      target
      Target

      Target is the essentially the location the policy should be positioned If no target is supplied we assume it’s destined to the wayfinder api

      status
      PolicyStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      plan
      PolicyPlan

      Plan is a copy of the plans the policy is based on if any

      planRevision
      int64

      PlanRevision is the revision of the parent plan

      PolicyPlan

      (Appears on: PolicyStatus)

      PolicyPlan is the Schema for the policies API

      FieldDescription
      apiVersion
      string
      policy.appvia.io/v1alpha1
      kind
      string
      PolicyPlan
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      PolicyPlanSpec
      description
      string

      Description is a summary of what the plan provides

      hints
      []Kubernetes meta/v1.GroupVersionResource

      Hints provides a list collection of resources which might be required in the rules engine

      inputs
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PolicyInput

      Inputs is a collection of inputs for this policy plan

      policy
      PolicyDecision

      Policy is the actual policy document associated to the plan

      selectors
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.Selector

      Selectors are optional filters which can be used to filter the target Deprecated, use the spec.templates of this policy - essentially it’s a list of filters which can be used i.e I can be applied to all Plans or all clusters

      templates
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PolicyTemplate

      Templates is a collection of templates used to generate polices on behalf of the subject

      target
      Target

      Target is a target for this policy i.e. wayfinder api or one or more clusters

      status
      PolicyPlanStatus
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      Robot

      Robot is the Schema for the robot accounts API

      FieldDescription
      apiVersion
      string
      policy.appvia.io/v1alpha1
      kind
      string
      Robot
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      RobotSpec
      description
      string

      Description provides a short summary on the use of the robot account

      secretRef
      Kubernetes core/v1.SecretReference

      SecretRef is a reference to the underlying kubernetes secret

      status
      RobotStatus
      secretRef
      Ownership

      DEPRECATED: secret reference is no longer in use SecretRef is a reference to the underlying kubernetes secret

      status
      Status

      Status is overall status of the policy

      AdmissionRequest

      AdmissionRequest is request to evalute an access request

      FieldDescription
      dryRun
      bool

      DryRun indicates this is a dryrun to see the evaluation

      uuid
      k8s.io/apimachinery/pkg/types.UID

      UUID is a unique id for the request

      kind
      Kubernetes meta/v1.GroupVersionResource

      Kind is the fully-qualified resource being requested

      subResource
      string

      SubResource is the subresource being requested, if any (for example, “status” or “scale”)

      verb
      string

      Verb is the action being request

      resource
      []byte

      Resource is the actual request payload if any

      object
      Object

      Object is the decoded resource from above - this is required for the engine to be able to target the fields

      name
      string

      Name is the name of the resourc

      namespace
      string

      Namespace is the workspace’s namespace in which the resource resides

      user
      UserInfo

      User is the details related to the user requesting the action

      origin
      RequestOrigin

      Origin is the origin of the request i.e ip address and so forth

      AdmissionResponse

      Decision is the outcome of request which are broken down in a collection of categories - validation errors, violations (denials), logged indicated resource should be logged

      FieldDescription
      enableProfiling
      bool
      (Optional)

      EnableProfiling indicates the access request should be profiled

      allowed
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.AllowedResult
      (Optional)

      Allowed is a collection of policy whom gave a allowed gave an allowed decision

      role
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.RolesResult
      (Optional)

      Role is a collection of roles which have been granted based on the policy

      logging
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.LogResult
      (Optional)

      Logging is a collection of logging requirements

      validation
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.ValidationErrorResult
      (Optional)

      Validation is a collection of validation errors

      violation
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.DeniedResult
      (Optional)

      Violation is a collection of violation access this resource

      AllowedResult

      AllowedResult indicates the policy we activately permitted by a policy

      FieldDescription
      policy
      string

      Policy is the name of the policy

      code
      int

      Code is a machine readable code indicates the error

      field
      string

      Field is the optional field in question

      message
      string

      Message is a human readable message

      value
      string

      Value is the current value of the field

      Assignment

      Assignment provides the subresource options for assiging an plan/policy to a subject

      FieldDescription
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      AssignmentSpec
      dryRun
      bool

      DryRun indicates we are asking not requesting it

      expiration
      time.Duration

      Expiration is a optional expiration for the assigned policy

      inputs
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PlanInput

      Inputs are the a collection of inputs for the plan

      subject
      Subject

      Subject is the identity we are applying the policy

      AssignmentSpec

      (Appears on: Assignment)

      AssignmentSpec describes the assignement

      FieldDescription
      dryRun
      bool

      DryRun indicates we are asking not requesting it

      expiration
      time.Duration

      Expiration is a optional expiration for the assigned policy

      inputs
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PlanInput

      Inputs are the a collection of inputs for the plan

      subject
      Subject

      Subject is the identity we are applying the policy

      AssumePolicySpec

      (Appears on: AssumePolicy)

      AssumePolicySpec defines the desired state of policy

      FieldDescription
      summary
      string

      Summary is a optional summary the describes the policy

      roles
      []string

      Roles is the permitted roles your are able to assume from this policy

      constraints
      Constraints

      Constraints is a collection of constraints which control access the roles

      AssumePolicyStatus

      (Appears on: AssumePolicy)

      AssumePolicyStatus defines the observed state of status on a policy

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      Assumption

      Assumption describes a request to assume a policy plan

      FieldDescription
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      AssumptionSpec
      dryRun
      bool

      DryRun indicates we are only asking not requesting

      expiration
      time.Duration

      Expiration is the requested time period for the role

      cluster
      string

      Cluster is the name of the cluster you wish to assume the role into

      namespace
      string

      Namespace is the namespace in the cluster you wish to assume the role

      inputs
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PlanInput

      Inputs are a collection of inputs for the assumption policy

      AssumptionDecision

      (Appears on: AssumptionResponseSpec)

      AssumptionDecision defines the a decision

      FieldDescription
      allowed
      bool

      Allowed indicates the decision of the policy

      name
      string

      Name is the name of the assumption policy

      failed
      []string

      Failed is a collection of human readable reasons as to why the decision failed

      succeeded
      []string

      Succeeded is a collection of human readable reasons as to why the decision was positive

      AssumptionResponse

      AssumptionResponse describes a response to an assumption request

      FieldDescription
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      AssumptionResponseSpec
      allowed
      bool

      Allowed indicates the overall success

      evalution
      []AssumptionDecision

      Evaluation provides an optional explan

      policy
      Policy

      Policy is the associated parent policy which the role assumption has created to provide the permissions

      reason
      string

      Reason provides an overall reason why assumption was refused

      AssumptionResponseSpec

      (Appears on: AssumptionResponse)

      AssumptionResponseSpec defines the response back from an assumption request

      FieldDescription
      allowed
      bool

      Allowed indicates the overall success

      evalution
      []AssumptionDecision

      Evaluation provides an optional explan

      policy
      Policy

      Policy is the associated parent policy which the role assumption has created to provide the permissions

      reason
      string

      Reason provides an overall reason why assumption was refused

      AssumptionSpec

      (Appears on: Assumption)

      AssumptionSpec describes the subresource for assuming a policy

      FieldDescription
      dryRun
      bool

      DryRun indicates we are only asking not requesting

      expiration
      time.Duration

      Expiration is the requested time period for the role

      cluster
      string

      Cluster is the name of the cluster you wish to assume the role into

      namespace
      string

      Namespace is the namespace in the cluster you wish to assume the role

      inputs
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PlanInput

      Inputs are a collection of inputs for the assumption policy

      ClusterConstraint

      (Appears on: Constraints)

      ClusterConstraint places a constraint around the cluster

      FieldDescription
      allowed
      Kubernetes meta/v1.LabelSelector

      Allowed is a collection of clusters permitted access on the role

      denied
      Kubernetes meta/v1.LabelSelector

      Denied provides the means to denied one or more clusters from the role

      Constraints

      (Appears on: AssumePolicySpec)

      Constraints defines a constriant to assuming a role

      FieldDescription
      clusters
      ClusterConstraint

      Clusters provides a constriant around the cluster which can be assumed

      days
      DaysOfWeekConstraint

      Days provides a constriant around the day of week a role can be assumed

      expiration
      ExpirationConstraint

      Expiration provides control over the length of a session

      parameters
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.InputConstraint

      Parameters provides a generic constraint around the requirement inputs into a role

      namespaces
      NamespaceConstraint

      Namespaces provides a constriant around the namespaces which can be assumed into from the role

      networks
      NetworkConstraint

      Networks allows defines one of more networks from which the user assuming the role can come from

      roles
      RolesConstraint

      Roles is a collection of subjects roles which are permitted access to the role

      scopes
      ScopesConstraint

      Scopes is a collection of subjects scopes which are permitted access to the role

      subjects
      SubjectsConstraint

      Subjects is a collection of subjects which are permitted access to the role

      time
      TimeConstraint

      Time provides a time constraint when assuming the policy. The assumption must occur within the alloted time frame to assume the role

      CreateAssignmentPolicy

      CreateAssignmentPolicy provides the subresource options for assiging an plan/policy to a subject

      FieldDescription
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      CreateAssignmentPolicySpec
      dryRun
      bool

      DryRun indicates we are asking not requesting it

      assigned
      Subject

      Assigned indicates who the policy can can be used by

      constraint
      Subject

      Constraint limits who the policy can be assigned to i.e. a robot account role, scope etc

      CreateAssignmentPolicySpec

      (Appears on: CreateAssignmentPolicy)

      CreateAssignmentPolicySpec describes the assignement

      FieldDescription
      dryRun
      bool

      DryRun indicates we are asking not requesting it

      assigned
      Subject

      Assigned indicates who the policy can can be used by

      constraint
      Subject

      Constraint limits who the policy can be assigned to i.e. a robot account role, scope etc

      DaysOfWeekConstraint

      (Appears on: Constraints)

      DaysOfWeekConstraint places a constraint on the day of week from which the role can be assumed

      FieldDescription
      allowed
      []string

      Allowed are the days permitted in access i.e Mon,Tues,Wed,Thu,Fri,Sat or Sun

      denied
      []string

      Denied is a collection of days which are not permitted to access the role

      Decision

      (Appears on: PolicyDecision)

      Decision is a inline decision on the outcome of the policy

      FieldDescription
      action
      string

      Action is the decision outcome i.e. allowed, denied or logged

      message
      string

      Message is a human readable reason for the outcome

      DeniedResult

      DeniedResult indicates a denial error

      FieldDescription
      policy
      string

      Policy is the name of the policy

      code
      int

      Code is a machine readable code indicates the error

      field
      string

      Field is the optional field in question

      message
      string

      Message is a human readable message

      msg
      string

      Msg is a human readable message - added to make us compatible with gatekeeper

      value
      string

      Value is the current value of the field

      ExpirationConstraint

      (Appears on: Constraints)

      ExpirationConstraint define the constraint around the session

      FieldDescription
      max
      Kubernetes meta/v1.Duration

      Max is the maximum length of a session the user can assume in the wayfinder

      ExtraValue ([]string)

      (Appears on: UserInfo)

      ExtraValue masks the value so protobuf can generate

      InputConstraint

      InputConstraint provides a constriant around an input parameter

      FieldDescription
      name
      string

      Name is the name of the parameter which maps onto the parameters requirement in the plan

      resource
      Ownership

      Resource provides an optional resource definitions to lookup and guard against

      allowed
      ResourceSelector

      Allowed is used to dictate the permitted values - when used in conbination with a resource lookup - the values of the parameter

      denied
      ResourceSelector

      Denied provides a filter around the permitted values as in input to the role

      InputType (string)

      (Appears on: PolicyInput)

      InputType indicates the values

      LogResult

      LogResult indicates the response should be logged

      FieldDescription
      severity
      string

      Severity is the level of the event

      message
      string

      Message is the message which should be logged

      NamespaceConstraint

      (Appears on: Constraints)

      NamespaceConstraint places a constraint around the cluster

      FieldDescription
      allowed
      Kubernetes meta/v1.LabelSelector

      Allowed is a collection of namespaces permitted access on the role

      denied
      Kubernetes meta/v1.LabelSelector

      Denied provides the means to denied one or more namespaces from the role

      NetworkConstraint

      (Appears on: Constraints)

      NetworkConstraint provides a collection of network ranges which the user can come from

      FieldDescription
      allowed
      []string

      Allowed is a collection of network which they must originate from

      denied
      []string

      Denied is a collection of networks cidrs which will be denied regardless

      Object (map[string]interface{})

      (Appears on: AdmissionRequest)

      PlanInput

      PlanInput describes an input

      FieldDescription
      name
      string

      Name of the variable for this input

      value
      string

      Value is value of the input

      values
      []string

      Values is a collection of values for this input

      PlanPolicyRef

      PlanPolicyRef is defines a reference to the policy plan that was used to create this policy

      FieldDescription
      name
      string

      Name is the name of the policy plan

      version
      string

      Version is a hash of the policy plan configuration so we know when we have strays from the version

      PolicyDecision

      (Appears on: PolicyPlanSpec, PolicySpec, PolicyTemplate)

      PolicyDecision defines the structure of a inline policy

      FieldDescription
      rolesDecision
      []string

      RolesDecision indicates a role is provided as an outcome

      decision
      Decision

      Decision is an inline decision on the action

      policy
      string

      Policy contains the inline rego template to apply

      PolicyInput

      PolicyInput describes the input required for a policy plan

      FieldDescription
      apiVersion
      string

      APIVersion is the api group the resource input comes from

      description
      string

      Description provides a descriptive reason for why the input is required and how it’s related to the policy

      enum
      []string

      Enum is a collection of possible values

      format
      string

      Format indicates the format for of the input

      name
      string

      Name is the name of the input which is injected when templating out the policies

      required
      bool

      Required indicates the input is a required parameter

      resource
      string

      Resource is the resource inside the group the we need as an input

      type
      InputType

      Type indicates the type of value

      PolicyPlanSpec

      (Appears on: PolicyPlan)

      PolicyPlanSpec defines the desired state of policy

      FieldDescription
      description
      string

      Description is a summary of what the plan provides

      hints
      []Kubernetes meta/v1.GroupVersionResource

      Hints provides a list collection of resources which might be required in the rules engine

      inputs
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PolicyInput

      Inputs is a collection of inputs for this policy plan

      policy
      PolicyDecision

      Policy is the actual policy document associated to the plan

      selectors
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.Selector

      Selectors are optional filters which can be used to filter the target Deprecated, use the spec.templates of this policy - essentially it’s a list of filters which can be used i.e I can be applied to all Plans or all clusters

      templates
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.PolicyTemplate

      Templates is a collection of templates used to generate polices on behalf of the subject

      target
      Target

      Target is a target for this policy i.e. wayfinder api or one or more clusters

      PolicyPlanStatus

      (Appears on: PolicyPlan)

      PolicyPlanStatus defines the observed state of status on a policy

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      PolicyReference

      (Appears on: PolicySpec)

      PolicyReference is used to reference an inbuilt policy document

      FieldDescription
      name
      string

      Name is the name of inbult policy we are referring to

      namespace
      string

      Namespace is the namespace the policy plan exists in

      PolicySpec

      (Appears on: Policy)

      PolicySpec defines the desired state of policy

      FieldDescription
      inputs
      k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON

      Inputs are parameters to the plan templates

      hints
      []Kubernetes meta/v1.GroupVersionResource

      Hints provides a list collection of resources which might be required in the rules engine

      policy
      PolicyDecision

      Policy defines the policy definition itself

      policyRef
      PolicyReference

      PolicyRef is used to refer to an inbuild wayfinder policy rather than defining a inline policy - we find the plan and copy onto the status for reference and implementation

      selectors
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.Selector

      Selectors is the resource we are filtering on

      target
      Target

      Target is the essentially the location the policy should be positioned If no target is supplied we assume it’s destined to the wayfinder api

      PolicyStatus

      (Appears on: Policy)

      PolicyStatus defines the observed state of status on a policy

      FieldDescription
      CommonStatus
      CommonStatus

      (Members of CommonStatus are embedded into this type.)

      plan
      PolicyPlan

      Plan is a copy of the plans the policy is based on if any

      planRevision
      int64

      PlanRevision is the revision of the parent plan

      PolicyTemplate

      PolicyTemplate describes a policy template

      FieldDescription
      name
      string

      Name is a descriptive name of the policy template

      disableSubjectInjection
      bool

      DisableSubjectInjection is used to inform the controller not to inject the subjects associated to the policy

      policy
      PolicyDecision

      Policy is the actual policy document associated to the plan

      selectors
      []*github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.Selector

      Selectors are optional filters which can be used to filter the target

      target
      Target

      Target is a target for the for the policy - i.e the cluster or clusters the policy should be deployed. Left blank the policy is assumed to apply to the Wayfinder API server itself.

      template
      string

      Template is the template used to generate the the policy

      RequestOrigin

      (Appears on: AdmissionRequest)

      RequestOrigin are details on the where the request came from

      FieldDescription
      url
      string

      URL is the incoming request url

      headers
      net/http.Header
      (Optional)

      Headers are any optonal http headers from the request

      address
      string
      (Optional)

      Address is a external address of the request

      query
      net/url.Values
      (Optional)

      Query are query parameters to the request

      ResourceSelector

      (Appears on: InputConstraint)

      ResourceSelector is used to filter on the labels of a resource

      FieldDescription
      matchLabels
      map[string]string

      MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.

      matchExpressions
      []Kubernetes meta/v1.LabelSelectorRequirement

      MatchExpressions is a list of label selector requirements. The requirements are ANDed.

      values
      []string

      Values is provides a list of expected values which are permitted

      RobotSpec

      (Appears on: Robot)

      RobotSpec defines the desired state of policy

      FieldDescription
      description
      string

      Description provides a short summary on the use of the robot account

      secretRef
      Kubernetes core/v1.SecretReference

      SecretRef is a reference to the underlying kubernetes secret

      RobotStatus

      (Appears on: Robot)

      RobotStatus defines the observed state of status on a policy

      FieldDescription
      secretRef
      Ownership

      DEPRECATED: secret reference is no longer in use SecretRef is a reference to the underlying kubernetes secret

      status
      Status

      Status is overall status of the policy

      RolesConstraint

      (Appears on: Constraints)

      RolesConstraint places a constraint around the workspace roles

      FieldDescription
      allowed
      []string

      Allowed are the workspace roles permitted to access to the role

      denied
      []string

      Denied are the workspace roles which are not permitted to access the role

      RolesResult

      RolesResult indicates the policy as has permitted the use of a role based on the policy - this is largely used for rbac purposes

      FieldDescription
      policy
      string

      Policy is the name of the policy

      code
      int

      Code is a machine readable code indicates the error

      roles
      []string

      Roles is a collection of rbac roles which have been granted from the policy

      ScopesConstraint

      (Appears on: Constraints)

      ScopesConstraint places a constraint around the scopes

      FieldDescription
      allowed
      []string

      Allowed are the subject scopes permitted to access the role

      denied
      []string

      Denied are the workspace roles which are not permitted to access the role

      Selector

      Selector provides a generate selector on resources

      FieldDescription
      namespace
      Kubernetes meta/v1.LabelSelector

      Namespace is a namespace selector

      resource
      ResourceSelector

      Resource selects on a kubernetes resource

      subject
      SubjectSelector

      Subject is a subject selector

      Subject

      (Appears on: AssignmentSpec, CreateAssignmentPolicySpec)

      Subject is the identity we are applying the policy to

      FieldDescription
      groups
      []string

      Groups is a collection of workspaces the assignment is applied

      roles
      []string

      Roles is a collection of roles the policies should apply

      scopes
      []string

      Scopes is a collection of scopes who the policy should be assigned to

      subjects
      []string

      Subjects is a collection of subjects the policy should be assigned to

      SubjectsConstraint

      (Appears on: Constraints)

      SubjectsConstraint places a constraint around the subjects

      FieldDescription
      allowed
      []string

      Allowed are the days permitted in access i.e Mon,Tues,Wed,Thu,Fri,Sat or Sun

      denied
      []string

      Denied is a collection of days which are not permitted to access the role

      Target

      (Appears on: PolicyPlanSpec, PolicySpec, PolicyTemplate)

      Target is where the policy should be applied, the apiserver, or remote cluster/s

      FieldDescription
      selector
      Kubernetes meta/v1.LabelSelector

      Selector defines the location of a policy - which can be placed on a plan, workspace, cluster etc - effectively these all get plached into clusters

      TimeConstraint

      (Appears on: Constraints)

      TimeConstraint provides a control around the time a user can assume one of more roles in wayfinder

      FieldDescription
      before
      string

      Before indicates nothing before this time can access the role

      after
      string

      After indicate the nothing after this time access the role

      UserInfo

      (Appears on: AdmissionRequest)

      UserInfo are details on the caller

      FieldDescription
      username
      string
      (Optional)

      The name that uniquely identifies this user among all active users.

      groups
      []string
      (Optional)

      The names of groups this user is a part of.

      roles
      []string
      (Optional)

      Roles are the roles the user holds in the various workspaces

      scopes
      []string
      (Optional)

      Scopes indicates the scope the token i.e. user, token etc

      extra
      map[string]github.com/appvia/wayfinder/pkg/apis/policy/v1alpha1.ExtraValue
      (Optional)

      Any additional information provided by the authenticator.

      claims
      k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON
      (Optional)

      Claims are jwt claims from the user token

      attributes
      map[string]string
      (Optional)

      Attributes are additional attributes on the user

      ValidationErrorResult

      ValidationErrorResult indicates a validation error was found

      FieldDescription
      policy
      string

      Policy is the name of the policy

      field
      string

      Field is the optional field in question

      value
      string

      Value is the current value of the field

      allowed
      []string

      Allowed is an optional permitted list

      message
      string

      Message is a human readable message

      security.appvia.io/v1alpha1

      Package v1alpha1 contains API Schema definitions for the security v1alpha1 API group

      Resource Types:

      SecurityOverview

      SecurityOverview contains a report about the current state of Wayfinder or a workspace

      FieldDescription
      apiVersion
      string
      security.appvia.io/v1alpha1
      kind
      string
      SecurityOverview
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      SecurityOverviewSpec
      workspace
      WorkspaceKey

      Workspace will be populated with the workspace key if this report is about a workspace, else unpopulated for a report for the whole of Wayfinder

      openIssueCounts
      map[github.com/appvia/wayfinder/pkg/apis/security/v1alpha1.RuleStatus]uint64

      OpenIssueCounts informs how many issues of each rule status exist currently

      resources
      []SecurityResourceOverview

      Resources contains summaries of the open issues for each resource

      SecurityRule

      SecurityRule contains the definition of a security rule

      FieldDescription
      apiVersion
      string
      security.appvia.io/v1alpha1
      kind
      string
      SecurityRule
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      SecurityRuleSpec
      code
      string

      Code is the unique identifier of this rule

      name
      string

      Name is the human-readable name of this rule

      description
      string

      Description is the markdown-formatted extended description of this rule.

      appliesTo
      []string

      AppliesTo is the list of resource types (e.g. Plan, Cluster) that this rule is applicable for

      SecurityScanResult

      SecurityScanResult contains the result of a scan against all registered rules

      FieldDescription
      apiVersion
      string
      security.appvia.io/v1alpha1
      kind
      string
      SecurityScanResult
      metadata
      Kubernetes meta/v1.ObjectMeta
      Refer to the Kubernetes API documentation for the fields of the metadata field.
      spec
      SecurityScanResultSpec
      id
      uint64

      ID is the ID of this scan result in the data store

      resource
      Ownership

      Resource is a reference to the group/version/kind/namespace/name of the resource scanned by this scan

      owningWorkspace
      string

      OwningWorkspace is the name of the workspace that owns this resource, will be empty if it is a non-workspace resource.

      checkedAt
      Kubernetes meta/v1.Time

      CheckedAt is the timestamp this result was determined

      archivedAt
      Kubernetes meta/v1.Time

      ArchivedAt is the timestamp this result was superceded by a later scan - if ArchivedAt.IsZero() is true this is the most recent scan.

      overallStatus
      RuleStatus

      OverallStatus indicates the worst-case status of the rules checked in this scan

      results
      []*github.com/appvia/wayfinder/pkg/apis/security/v1alpha1.SecurityScanRuleResult

      Results are the underlying results of the individual rules run as part of this scan

      RuleStatus (string)

      (Appears on: SecurityResourceOverview, SecurityScanResultSpec, SecurityScanRuleResult)

      RuleStatus values represent the possible status of compliance with a security rule.

      ValueDescription

      "Compliant"

      Compliant indicates that this target is fully compliant with the specified rule.

      "Failure"

      Failure indicates that this target is uncompliant in a significant way and should be mitigated. This would typically be used for rules where compliance is considered to be vital to a well-run cluster.

      "Warning"

      Warning indicates that this target is uncompliant in such a way that consideration should be made as to whether this should be remediated. This would typically be used for best practice considerations, where not being compliant isn’t necessarily a critical issue.

      SecurityOverviewSpec

      (Appears on: SecurityOverview)

      SecurityOverviewSpec shows the overall current security posture of Wayfinder or a workspace

      FieldDescription
      workspace
      WorkspaceKey

      Workspace will be populated with the workspace key if this report is about a workspace, else unpopulated for a report for the whole of Wayfinder

      openIssueCounts
      map[github.com/appvia/wayfinder/pkg/apis/security/v1alpha1.RuleStatus]uint64

      OpenIssueCounts informs how many issues of each rule status exist currently

      resources
      []SecurityResourceOverview

      Resources contains summaries of the open issues for each resource

      SecurityResourceOverview

      (Appears on: SecurityOverviewSpec)

      SecurityResourceOverview provides an overview of the open issue counts for a resource

      FieldDescription
      resource
      Ownership

      Resource is a reference to the group/version/kind/namespace/name of the resource scanned by this scan

      lastChecked
      Kubernetes meta/v1.Time

      LastChecked is the timestamp this resource was last scanned

      overallStatus
      RuleStatus

      OverallStatus is the overall status of this resource

      openIssueCounts
      map[github.com/appvia/wayfinder/pkg/apis/security/v1alpha1.RuleStatus]uint64

      OpenIssueCounts is the summary of open issues for this resource

      SecurityRuleSpec

      (Appears on: SecurityRule)

      SecurityRuleSpec specifies the details of a security rule

      FieldDescription
      code
      string

      Code is the unique identifier of this rule

      name
      string

      Name is the human-readable name of this rule

      description
      string

      Description is the markdown-formatted extended description of this rule.

      appliesTo
      []string

      AppliesTo is the list of resource types (e.g. Plan, Cluster) that this rule is applicable for

      SecurityScanResultSpec

      (Appears on: SecurityScanResult)

      SecurityScanResultSpec shows the overall result of a scan against all registered rules

      FieldDescription
      id
      uint64

      ID is the ID of this scan result in the data store

      resource
      Ownership

      Resource is a reference to the group/version/kind/namespace/name of the resource scanned by this scan

      owningWorkspace
      string

      OwningWorkspace is the name of the workspace that owns this resource, will be empty if it is a non-workspace resource.

      checkedAt
      Kubernetes meta/v1.Time

      CheckedAt is the timestamp this result was determined

      archivedAt
      Kubernetes meta/v1.Time

      ArchivedAt is the timestamp this result was superceded by a later scan - if ArchivedAt.IsZero() is true this is the most recent scan.

      overallStatus
      RuleStatus

      OverallStatus indicates the worst-case status of the rules checked in this scan

      results
      []*github.com/appvia/wayfinder/pkg/apis/security/v1alpha1.SecurityScanRuleResult

      Results are the underlying results of the individual rules run as part of this scan

      SecurityScanRuleResult

      SecurityScanRuleResult represents the compliance status of a target with respect to a specific security rule.

      FieldDescription
      ruleCode
      string

      RuleCode indicates the rule that this result relates to

      status
      RuleStatus

      Status indicates the compliance of the target with this rule

      message
      string

      Message provides additional information about the status of this rule on this target, if applicable

      checkedAt
      Kubernetes meta/v1.Time

      CheckedAt is the timestamp this result was determined

      This page was automatically generated with gen-crd-api-reference-docs