The module lifecycle stage: General Availability
The Deckhouse Kubernetes Platform installs CRDs but does not remove them when a module is disabled. If you no longer need the created CRDs, delete them.
CodeInstance
Scope: Cluster
Version: v1
-
stringapiVersion
-
stringkind
-
objectmetadata
-
objectspecCodeInstanceSpec defines the desired state of the CodeInstance.
-
objectspec.appConfigParameters for modifying general settings of Rails components.
Default:
{}-
objectspec.appConfig.contentSecurityPolicyContent Security Policy (CSP) settings for preventing XSS attacks.
Default:
{}-
objectspec.appConfig.contentSecurityPolicy.directivesCSP directives.
Default:
{}-
stringspec.appConfig.contentSecurityPolicy.directives.child_src
-
stringspec.appConfig.contentSecurityPolicy.directives.connect_src
-
stringspec.appConfig.contentSecurityPolicy.directives.default_src
-
stringspec.appConfig.contentSecurityPolicy.directives.font_src
-
stringspec.appConfig.contentSecurityPolicy.directives.frame_ancestors
-
stringspec.appConfig.contentSecurityPolicy.directives.frame_src
-
stringspec.appConfig.contentSecurityPolicy.directives.img_src
-
stringspec.appConfig.contentSecurityPolicy.directives.media_src
-
stringspec.appConfig.contentSecurityPolicy.directives.object_src
-
stringspec.appConfig.contentSecurityPolicy.directives.script_src
-
stringspec.appConfig.contentSecurityPolicy.directives.style_src
-
-
booleanspec.appConfig.contentSecurityPolicy.enabledEnable CSP.
Default:
true -
booleanspec.appConfig.contentSecurityPolicy.reportOnlyEnable CSP in report-only mode.
Default:
false
-
-
objectspec.appConfig.cronJobsList of periodically executed jobs for self-healing, synchronizing, etc.
Default:
{}-
objectspec.appConfig.cronJobs.<KEY_NAME>
<KEY_NAME>— jobNameCronJob name.
-
stringspec.appConfig.cronJobs.<KEY_NAME>.jobClass
Warning. This parameter is intended for advanced users.
Overriding the job execution class.
-
-
stringspec.appConfig.customHtmlHeaderTagsAdditional custom HTML header tags for the UI.
Default:
-
stringspec.appConfig.defaultColorModeDefault color mode for the UI.
Default:
LightAllowed values:
Light,Dark,Auto -
objectspec.appConfig.ldapLDAP integration settings.
-
booleanspec.appConfig.ldap.preventSigninPrevent user authentication via LDAP in the web UI.
Default:
false -
objectspec.appConfig.ldap.servers
Required value
Configuration of LDAP servers.Default:
{}-
objectspec.appConfig.ldap.servers.<KEY_NAME>
<KEY_NAME>— serverNameLDAP server name. At least one server must be named
main.Default:
{}-
booleanspec.appConfig.ldap.servers.<KEY_NAME>.activeDirectorySpecifies whether the LDAP server is an Active Directory server.
Default:
true -
booleanspec.appConfig.ldap.servers.<KEY_NAME>.allowUsernameOrEmailLoginIf enabled, Code ignores the login part after the first
@symbol submitted by the user on sign-in.Default:
false -
objectspec.appConfig.ldap.servers.<KEY_NAME>.attributesSettings with LDAP attribute mapping.
Default:
{}-
array of stringsspec.appConfig.ldap.servers.<KEY_NAME>.attributes.emailLDAP attribute for the user email.
Default:
[ "mail", "email", "userPrincipalName" ] -
stringspec.appConfig.ldap.servers.<KEY_NAME>.attributes.firstNameLDAP attribute for the user’s first name.
Default:
givenName -
stringspec.appConfig.ldap.servers.<KEY_NAME>.attributes.lastNameLDAP attribute for the user’s last name.
Default:
sn -
stringspec.appConfig.ldap.servers.<KEY_NAME>.attributes.nameLDAP attribute for the displayed username.
Default:
cn -
array of stringsspec.appConfig.ldap.servers.<KEY_NAME>.attributes.usernameThe
@usernamethat the Code account will be provisioned with. If the value contains an email address, the Code login is the part of the email address before the@symbol.Default:
[ "uid", "userid", "sAMAccountName" ]
-
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.base
Required value
Base DN where users can be searched.Default:
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.bindDnFull DN of the username used for connecting and synchronizing with LDAP.
Default:
-
booleanspec.appConfig.ldap.servers.<KEY_NAME>.blockAutoCreatedUsersBlock automatically created users until they have been cleared by an administrator.
Default:
false -
stringspec.appConfig.ldap.servers.<KEY_NAME>.encryption
Required value
Connection encryption method.Default:
PlainAllowed values:
Plain,SimpleTls,StartTls -
objectspec.appConfig.ldap.servers.<KEY_NAME>.groupSyncSettings for group and membership synchronization.
Default:
{}-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.base
Required value
Base DN where groups can be searched.Default:
-
booleanspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.createGroupsCreate groups automatically.
Default:
false -
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.filterFilter LDAP groups in the format of
RFC 4515.Default:
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.nameMaskRegular expression to retrieve group names from DN.
Default:
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.ownerOwner of groups synchronized with LDAP. The
rootuser is used by default.Default:
root -
objectspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.prefixOptional section for group hierarchy settings.
Default:
{}-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.prefix.attribute
Required value
Name of the LDAP group attribute containing information about the parent group.Default:
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.prefix.default
Required value
Default parent group ifprefix.attributeis empty.Default:
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.prefix.nameMaskRegular expression to retrieve parent group name from CN.
-
-
array of objectsspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.roleMappingList of dictionaries for mapping Code roles with roles retrieved from LDAP group names.
Default:
[]-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.roleMapping.byNameRegular expression for retrieving a role name from the LDAP group.
Default:
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.roleMapping.gitlabRoleCode role name.
Default:
GuestAllowed values:
Guest,Planner,Reporter,Developer,Maintainer,Owner
-
-
numberspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.scope
Group search scope:
0: Base1: SingleLevel2: WholeSubtree
Default:
1Allowed values:
0,1,2 -
stringspec.appConfig.ldap.servers.<KEY_NAME>.groupSync.topLevelGroupParent group name where LDAP groups are synchronized to. If there’s no parent group, the synchronization is performed tp the root group.
Default:
-
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.host
Required value
FQDN address of the LDAP server.Default:
-
stringspec.appConfig.ldap.servers.<KEY_NAME>.label
Required value
LDAP server name. At least one server must be namedmain.Default:
LDAP -
booleanspec.appConfig.ldap.servers.<KEY_NAME>.lowercaseUsernamesIf enabled, Code converts user logins to lower case.
Default:
false -
stringspec.appConfig.ldap.servers.<KEY_NAME>.passwordPassword of the username used for synchronizing with LDAP.
Default:
-
numberspec.appConfig.ldap.servers.<KEY_NAME>.port
Required value
LDAP server connection port.Default:
389Allowed values:
0 <= X <= 65535 -
booleanspec.appConfig.ldap.servers.<KEY_NAME>.syncNameSync Code username with LDAP.
Default:
false -
numberspec.appConfig.ldap.servers.<KEY_NAME>.timeoutTimeout (in seconds) for LDAP requests.
Default:
10Allowed values:
0 <= X -
stringspec.appConfig.ldap.servers.<KEY_NAME>.uid
Required value
LDAP attribute that maps to the username that users use to sign in.Default:
sAMAccountName -
stringspec.appConfig.ldap.servers.<KEY_NAME>.userFilterFilter LDAP users. Follows the format of
RFC 4515.Default:
-
booleanspec.appConfig.ldap.servers.<KEY_NAME>.verifyCertificatesEnable SSL certificate verification when the encryption method ‘SimpleTls’ or ‘SimpleTls’ is used.
Default:
true
-
-
-
-
objectspec.appConfig.omniauthOmniAuth configuration.
-
array of stringsspec.appConfig.omniauth.allowBypassTwoFactorAllow signing-in without using two-factor authentication (2FA).
Default:
[] -
array of stringsspec.appConfig.omniauth.allowSingleSignOnAllow using the single sign-on (SSO).
Default:
[] -
booleanspec.appConfig.omniauth.autoLinkLdapUserAutomatically link LDAP users with existing Code users.
Default:
false -
booleanspec.appConfig.omniauth.autoLinkSamlUserAutomatically link SAML users with existing Code users.
Default:
false -
array of stringsspec.appConfig.omniauth.autoLinkUserAutomatically link OmniAuth users with existing Code users.
Default:
[] -
stringspec.appConfig.omniauth.autoSignInWithProviderAutomatically sign in via your OmniAuth provider.
-
booleanspec.appConfig.omniauth.blockAutoCreatedUsersBlock automatically-created users.
Default:
true -
booleanspec.appConfig.omniauth.enabledEnable OmniAuth.
Default:
false -
array of stringsspec.appConfig.omniauth.externalProvidersExternal OmniAuth providers.
Default:
[] -
array of objectsspec.appConfig.omniauth.providersList of supported OmniAuth providers.
Default:
[]-
objectspec.appConfig.omniauth.providers.args
-
objectspec.appConfig.omniauth.providers.args.client_options
-
-
stringspec.appConfig.omniauth.providers.icon
-
stringspec.appConfig.omniauth.providers.label
-
stringspec.appConfig.omniauth.providers.name
Allowed values:
alicloud,atlassioan_oauth2,auth0,cognito,azute_activedirectory_v2,bitbucket,oauth2_generic,github,gitlab,google_oauth2,jwt,kerberos,openid_connect,salesforce,saml,shibboleth -
stringspec.appConfig.omniauth.providers.uidThis fields is intended for the operator’s needs only. Do not edit the set value.
Default:
-
-
array of stringsspec.appConfig.omniauth.syncProfileAttributesList of profile attributes to sync from the provider.
Default:
[ "name", "email" ] -
array of stringsspec.appConfig.omniauth.syncProfileFromProviderSync profile information from your OmniAuth provider.
Default:
[]
-
-
objectspec.appConfig.rackAttackRackAttack contains basic authentication settings.
-
objectspec.appConfig.rackAttack.gitlabBasicAuthRate-limiting parameters applied in Code to configure blocking and limiting user authentication attempts.
-
integerspec.appConfig.rackAttack.gitlabBasicAuth.banTimeDuration (in seconds) for which an IP address is blocked after exceeding the allowed number of attempts.
Allowed values:
0 <= X -
integerspec.appConfig.rackAttack.gitlabBasicAuth.findTimeTime window (in seconds) after which the authentication attempt counter for an IP address is reset.
Allowed values:
0 <= X -
array of stringsspec.appConfig.rackAttack.gitlabBasicAuth.ipWhitelistList of IP addresses excluded from Rack Attack rules.
-
integerspec.appConfig.rackAttack.gitlabBasicAuth.maxRetryMaximum number of Git HTTP authentication attempts per IP address.
Allowed values:
0 <= X
-
-
-
booleanspec.appConfig.signInEnabled
Enable the standard sign-in page.
Can be turned off to enforce LDAP-based authentication.
Default:
true -
booleanspec.appConfig.signUpEnabled
Allow the user to create new accounts.
This will also allow regular users to sign up on their own.
Default:
false -
booleanspec.appConfig.usernameChangingEnabledAllow username changes for existing accounts.
Default:
false
-
-
objectspec.backupBackup configuration.
Default:
{}-
booleanspec.backup.backupBeforeUpdateEnable automatic backup before module update.
Default:
false -
integerspec.backup.backupStorageGbOverall expected size of backups (TAR archive size) to configure underlying storage.
Default:
3Allowed values:
1 <= X -
stringspec.backup.cronScheduleIf specified, enables automatic backups based on a cron-formatted schedule.
-
booleanspec.backup.enabledEnables the ability to work with backups.
Default:
false -
objectspec.backup.nodeSelectorSelector to choose a node where to run the backup process from (by toolbox).
-
objectspec.backup.persistentVolumeClaimParameters of the PersistentVolumeClaim resource.
Default:
{}-
booleanspec.backup.persistentVolumeClaim.enabledEnable PersistentVolumes. If disabled,
emptyDiris used instead.Default:
false -
stringspec.backup.persistentVolumeClaim.storageClassIf
persistentVolumeClaim.enabledis set totrue, this parameter must include the name of an existing StorageClass for a PersistentVolume in the cluster.
-
-
objectspec.backup.s3S3 storage connection settings for backups.
-
stringspec.backup.s3.bucketNameName of the S3 bucket for backups.
Default:
d8-code-backups -
objectspec.backup.s3.external
-
stringspec.backup.s3.external.accessKey
Required value
Bucket access key. -
stringspec.backup.s3.external.endpoint
Custom S3-compatible storage service endpoint to use for requests.
If the schema (
http://orhttps://) is not explicitly provided, the system will default to usinghttps://. For example, an endpoint specified ass3.example.comwill automatically be interpreted ashttps://s3.example.com.Default:
-
stringspec.backup.s3.external.provider
Required value
S3 storage cloud provider. For storage in a local environment, useGeneric.Allowed values:
Generic,YCloud -
stringspec.backup.s3.external.regionBucket region.
Default:
-
stringspec.backup.s3.external.secretKey
Required value
Secret key for accessing the buckets.
-
-
stringspec.backup.s3.modeStorage type.
Default:
External -
stringspec.backup.s3.tmpBucketNameTemporary object storage bucket name used exclusively during the backup and restore process.
Default:
d8-code-tmp
-
-
array of stringsspec.backup.skipComponentsList of components excluded from backups.
Default:
[]-
stringspec.backup.skipComponents.Element of the array
Allowed values:
Db,Repositories,Uploads,Builds,Artifacts,Pages,Lfs,TerraformState,Registry,Packages,CiSecureFiles,ExternalDiffs
-
-
array of objectsspec.backup.tolerationsTolerations for running a Pod responsible for backups (via toolbox) on a specific node.
Default:
[]-
stringspec.backup.tolerations.effect
-
stringspec.backup.tolerations.key
-
stringspec.backup.tolerations.operator
-
integerspec.backup.tolerations.tolerationSeconds
-
stringspec.backup.tolerations.value
-
-
-
objectspec.featuresConfiguration of optional components that are enabled as necessary.
Default:
{}-
objectspec.features.mailConfiguration of all email types.
Default:
{}-
objectspec.features.mail.incomingEmailIncoming email configuration.
Default:
{ "address": "", "enabled": false, "host": "", "password": "", "user": "" }-
stringspec.features.mail.incomingEmail.address
Required value
Email address template for a resource or project where a reply is sent to (for example,
code-incoming+%{key}@gmail.com).The entire
+%{key}suffix should be included within the email address and should not be replaced by any other value.Default:
-
booleanspec.features.mail.incomingEmail.enabled
Required value
Enable incoming email for the module.Default:
false -
stringspec.features.mail.incomingEmail.host
Required value
Remote email server address.Default:
imap.gmail.com -
stringspec.features.mail.incomingEmail.password
Required value
User password for IMAP authentication.Default:
-
integerspec.features.mail.incomingEmail.portEmail server connection port.
Default:
993 -
objectspec.features.mail.incomingEmail.serviceDeskEmailIncoming email configuration for project support desk.
Default:
{ "address": "", "enabled": false, "host": "", "password": "", "user": "" }-
stringspec.features.mail.incomingEmail.serviceDeskEmail.address
Required value
Email address template for a resource or project where a reply is sent to (for example,
project_contact+%{key}@gmail.com).The entire
+%{key}suffix should be included within the email address and should not be replaced by any other value.Default:
-
booleanspec.features.mail.incomingEmail.serviceDeskEmail.enabled
Required value
Enable incoming email configuration for project support desk.
Applied if incoming emails are configured for the module.
Default:
false -
stringspec.features.mail.incomingEmail.serviceDeskEmail.host
Required value
Remote email server address.Default:
imap.gmail.com -
stringspec.features.mail.incomingEmail.serviceDeskEmail.password
Required value
User password for IMAP authentication.Default:
-
integerspec.features.mail.incomingEmail.serviceDeskEmail.portEmail server connection port.
Default:
993 -
booleanspec.features.mail.incomingEmail.serviceDeskEmail.sslUse SSL connection if it’s enabled on the IMAP server.
Default:
true -
booleanspec.features.mail.incomingEmail.serviceDeskEmail.startTlsUse STARTTLS connection if it’s enabled on the IMAP server.
Default:
false -
stringspec.features.mail.incomingEmail.serviceDeskEmail.user
Required value
Username for IMAP authentication.Default:
-
-
booleanspec.features.mail.incomingEmail.sslUse SSL connection if it’s enabled on the IMAP server.
Default:
true -
booleanspec.features.mail.incomingEmail.startTlsUse STARTTLS connection if it’s enabled on the IMAP server.
Default:
false -
stringspec.features.mail.incomingEmail.user
Required value
Username for IMAP authentication.Default:
-
-
objectspec.features.mail.outgoingEmail
Default:
{ "displayName": "Deckhouse Code", "from": "no-reply@deckhouse.io", "replyTo": "no-reply@deckhouse.io" }-
stringspec.features.mail.outgoingEmail.displayName
Required value
Sender name displayed in the outgoing email.Default:
Deckhouse Code -
stringspec.features.mail.outgoingEmail.from
Required value
Sender email address displayed in the outgoing email.Default:
deckhouse.code@example.com -
stringspec.features.mail.outgoingEmail.replyTo
Required value
Email address displayed in the Reply-To header.Default:
noreply@example.com -
objectspec.features.mail.outgoingEmail.smtpSMTP configuration for the module.
Default:
{}-
stringspec.features.mail.outgoingEmail.smtp.addressRemote SMTP server address.
Default:
smtp.mailgun.org -
stringspec.features.mail.outgoingEmail.smtp.authenticationSMTP authentication type.
Allowed values:
None,Plain,Login,CramMd5 -
stringspec.features.mail.outgoingEmail.smtp.domainOptional HELO domain for SMTP connection.
Default:
-
booleanspec.features.mail.outgoingEmail.smtp.enabledEnable outgoing email.
Default:
false -
stringspec.features.mail.outgoingEmail.smtp.opensslVerifyModeTLS certificate verification mode.
Default:
PeerAllowed values:
None,Peer,ClientOnce,FailIfNoPeerCert -
stringspec.features.mail.outgoingEmail.smtp.passwordUser password for SMTP authentication.
Default:
-
integerspec.features.mail.outgoingEmail.smtp.portSMTP server connection port.
Default:
25 -
booleanspec.features.mail.outgoingEmail.smtp.starttlsAutoUse STARTTLS if it’s supported by the SMTP server.
Default:
false -
booleanspec.features.mail.outgoingEmail.smtp.tlsUse SMTP/TLS (SMTPS — SMTP over direct TLS connection).
Default:
false -
stringspec.features.mail.outgoingEmail.smtp.usernameUsername for SMTP authentication.
Default:
-
-
stringspec.features.mail.outgoingEmail.subjectSuffixSuffix added to the subject of all outgoing email of the module.
Default:
-
-
-
objectspec.features.pagesConfiguration of the Pages component.
Default:
{}-
booleanspec.features.pages.enabledEnable the Pages component.
Default:
false -
objectspec.features.pages.ingressIncoming network connection settings for the Pages component.
Default:
{}-
objectspec.features.pages.ingress.annotationsMap of additional annotations for the Pages component.
-
stringspec.features.pages.ingress.hostnameRedefined domain name for the Pages service.
Default:
-
objectspec.features.pages.ingress.httpsHTTPS configuration for incoming connections.
-
objectspec.features.pages.ingress.https.certManagerConfiguration of the
cert-manager.-
stringspec.features.pages.ingress.https.certManager.clusterIssuerNameName of the ClusterIssuer issuing the SSL certificates.
Default:
letsencrypt
-
-
objectspec.features.pages.ingress.https.customCertificateCustom certificate mode parameters.
-
stringspec.features.pages.ingress.https.customCertificate.secretNameName of Secret where the custom certificate is stored.
-
-
stringspec.features.pages.ingress.https.mode
Default:
CertManagerAllowed values:
CertManager,CustomCertificate
-
-
stringspec.features.pages.ingress.ingressClassIngress class to use for Pages. If empty, it defaults to the instance global.
-
-
objectspec.features.pages.s3S3 storage connection settings.
-
stringspec.features.pages.s3.bucketNameName of the S3 bucket used by the Pages component.
Default:
d8-code-pages -
objectspec.features.pages.s3.externalExternal S3 storage configuration.
-
stringspec.features.pages.s3.external.accessKey
Required value
Bucket access key. -
stringspec.features.pages.s3.external.endpoint
Custom S3-compatible storage service endpoint to use for requests.
If the schema (
http://orhttps://) is not explicitly provided, the system will default to usinghttps://. For example, an endpoint specified ass3.example.comwill automatically be interpreted ashttps://s3.example.com.Default:
-
stringspec.features.pages.s3.external.provider
Required value
S3 storage cloud provider. For storage in a local environment, useGeneric.Allowed values:
Generic,YCloud -
stringspec.features.pages.s3.external.regionBucket region.
Default:
-
stringspec.features.pages.s3.external.secretKey
Required value
Secret key for accessing the buckets. -
objectspec.features.pages.s3.external.storageOptions
Default:
{}-
stringspec.features.pages.s3.external.storageOptions.serverSideEncryptionS3 bucket encryption mode.
Allowed values:
AES256,AwsKms -
stringspec.features.pages.s3.external.storageOptions.serverSideEncryptionKmsKeyIdAmazon Resource Name (ARN) of the KMS key. Only needed when
AwsKmsis used inserverSideEncryption.
-
-
-
stringspec.features.pages.s3.modeStorage type.
Default:
ExternalAllowed values:
Internal,External
-
-
-
objectspec.features.registryConfiguration of the Registry component.
Default:
{}-
booleanspec.features.registry.enabledEnable the Registry component.
Default:
false -
objectspec.features.registry.garbageCollectorGarbage collector configuration.
-
objectspec.features.registry.garbageCollector.blobsBlob garbage collector configuration.
-
booleanspec.features.registry.garbageCollector.blobs.enabledEnable the blob garbage collector.
Default:
false -
stringspec.features.registry.garbageCollector.blobs.intervalInterval between the blob garbage collector launches.
Default:
5s
-
-
booleanspec.features.registry.garbageCollector.enabledEnable garbage collector.
Default:
false -
objectspec.features.registry.garbageCollector.manifestsManifest garbage collector configuration.
-
booleanspec.features.registry.garbageCollector.manifests.enabledEnable the manifest garbage collector.
Default:
false -
stringspec.features.registry.garbageCollector.manifests.intervalInterval between the manifest garbage collector launches.
Default:
5s
-
-
-
objectspec.features.registry.ingressIncoming network connection settings for the Registry component.
Default:
{}-
objectspec.features.registry.ingress.annotationsMap of additional annotations for the Registry component.
-
stringspec.features.registry.ingress.hostnameRedefined domain name for the Registry service.
Default:
-
objectspec.features.registry.ingress.httpsHTTPS configuration for incoming connections of the Registry component.
-
objectspec.features.registry.ingress.https.certManagerConfiguration of the
cert-manager.-
stringspec.features.registry.ingress.https.certManager.clusterIssuerNameName of the ClusterIssuer issuing the SSL certificates.
Default:
letsencrypt
-
-
objectspec.features.registry.ingress.https.customCertificateCustom certificate mode parameters.
-
stringspec.features.registry.ingress.https.customCertificate.secretNameName of Secret where the custom certificate is stored.
-
-
stringspec.features.registry.ingress.https.mode
Default:
CertManagerAllowed values:
CertManager,CustomCertificate
-
-
stringspec.features.registry.ingress.ingressClassIngress class to use for Registry. If empty, it defaults to the instance global.
-
-
objectspec.features.registry.maintenanceRegistry maintenance settings.
Default:
{}-
objectspec.features.registry.maintenance.readOnlyRead-only mode.
Default:
{}-
booleanspec.features.registry.maintenance.readOnly.enabledEnable the read-only mode for Registry for the duration of maintenance.
Default:
false
-
-
objectspec.features.registry.maintenance.uploadPurgingConfiguration of the maintenance feature allowing to delete image upload artifacts from the storage. This does not delete the image data.
Default:
{}-
stringspec.features.registry.maintenance.uploadPurging.ageAge thresholds (in hours) for artifacts to be deleted.
Default:
168hPattern:
^(\d+)h$ -
booleanspec.features.registry.maintenance.uploadPurging.dryrunRun the upload purging in dry-run mode.
Default:
false -
booleanspec.features.registry.maintenance.uploadPurging.enabledEnable the upload purging. Disabled by default while in the read-only mode.
Default:
true -
stringspec.features.registry.maintenance.uploadPurging.intervalInterval of the purging runs.
Default:
24hPattern:
^(\d+)h$
-
-
-
objectspec.features.registry.postgresPostgreSQL database connection settings.
-
objectspec.features.registry.postgres.externalExternal PostgreSQL database connection settings.
-
stringspec.features.registry.postgres.external.database
Required value
Main database name.Minimal length:
3 -
stringspec.features.registry.postgres.external.hostIP address or domain name of the PostgreSQL server.
-
stringspec.features.registry.postgres.external.passwordUser password for the metadata database.
-
integerspec.features.registry.postgres.external.portPort for connecting to the PostgreSQL server.
-
stringspec.features.registry.postgres.external.serverCACA certificate for the PostgreSQL server.
-
stringspec.features.registry.postgres.external.sslModePriority of the SSL connection to the PostgreSQL server through TCP/IP.
Default:
preferAllowed values:
allow,prefer,require,verify-ca,verify-full -
stringspec.features.registry.postgres.external.usernameUsername for the metadata database.
-
-
stringspec.features.registry.postgres.modeDatabase type.
Allowed values:
External
-
-
objectspec.features.registry.s3S3 storage connection settings.
Default:
{}-
stringspec.features.registry.s3.bucketNameList of “key-value” pairs naming all required buckets.
Default:
d8-code-registry -
objectspec.features.registry.s3.external
-
stringspec.features.registry.s3.external.accessKey
Required value
S3 bucket access key. -
stringspec.features.registry.s3.external.endpoint
Custom S3-compatible storage service endpoint to use for requests.
If the schema (
http://orhttps://) is not explicitly provided, the system will default to usinghttps://. For example, an endpoint specified ass3.example.comwill be automatically interpreted ashttps://s3.example.com.Default:
-
stringspec.features.registry.s3.external.provider
Required value
S3 storage cloud provider. For storage in a local environment, useGeneric.Allowed values:
Generic,YCloud -
stringspec.features.registry.s3.external.regionS3 bucket region.
Default:
-
stringspec.features.registry.s3.external.secretKey
Required value
Secret key for accessing the S3 buckets.
-
-
stringspec.features.registry.s3.modeObject storage type for the Registry component.
Default:
ExternalAllowed values:
Internal,External
-
-
-
-
objectspec.gitDataGit data configuration.
-
integerspec.gitData.replicasNumber of Gitaly nodes when the high-availability mode is enabled (
highAvailability).Allowed values:
1 <= X -
objectspec.gitData.resourcesSize of resources for Git data (Gitaly).
-
stringspec.gitData.storageClassKubernetes storageClass used for Git data storage (for PVC in Gitaly Pods).
-
integerspec.gitData.storagePerReplicaGbSize of the entire Git data. Required to calculate the size of volumes for each replica.
Default:
1Allowed values:
1 <= X
-
-
objectspec.networkNetwork configuration parameters.
Default:
{}-
objectspec.network.certificatesSection for configuring and managing TLS-certificates.
Default:
{}-
array of objectsspec.network.certificates.customCAs
List of Secret and ConfigMap objects to fetch CA certificates from.
To see an example of the list, refer to Network.
Default:
[]-
stringspec.network.certificates.customCAs.configMap
-
array of stringsspec.network.certificates.customCAs.keys
-
stringspec.network.certificates.customCAs.secret
-
-
-
objectspec.network.gitSshSSH-related parameters.
-
stringspec.network.gitSsh.hostname
Hostname where Git SSH will be available.
Leave empty to use the name corresponding with the web UI. Make sure that both services are available via the same IP address.
Default:
-
objectspec.network.gitSsh.serviceService configuration for accessing the Git SSH.
-
objectspec.network.gitSsh.service.annotationsMap of additional annotations for the shell deployment.
-
integerspec.network.gitSsh.service.nodePortPort number to be used to expose the shell component when the
NodePortservice type is selected.Allowed values:
30000 <= X <= 32767 -
stringspec.network.gitSsh.service.type
Type of a Kubernetes service for exposing your shell component.
For a single-node cluster, NodePort is reasonable, otherwise LoadBalancer is recommended.
Allowed values:
LoadBalancer,NodePort,ClusterIP
-
-
-
stringspec.network.ingressClassIngress class to use in the module. If empty, it defaults to the Deckhouse global Ingress class.
Default:
-
objectspec.network.ownLoadBalancerHAProxy configuration parameters.
Default:
{}-
objectspec.network.ownLoadBalancer.annotationsMap of annotations for the HAProxy service.
-
booleanspec.network.ownLoadBalancer.enabledDeploy an additional LoadBalancer for both Git SSH and web UI.
Default:
true -
array of stringsspec.network.ownLoadBalancer.httpBackendsList of IngressNginxController names to route HTTP(S) traffic to. Defaults to a Kubernetes service based on the Ingress class name.
Default:
[]
-
-
objectspec.network.webWeb service (UI) network parameters.
-
objectspec.network.web.annotationsMap of additional annotations for the web service.
-
stringspec.network.web.hostname
Hostname where UI will be available. If left empty, it defaults to the cluster domain template.
Important. Make sure that
https.modeand the TLS certificate are valid for the specified hostname.Default:
-
objectspec.network.web.https
Type of the certificate used.
Whenever this parameter is used, the
global.modules.httpssettings are overridden completely.-
objectspec.network.web.https.certManagerParameters of the
cert-manager.-
stringspec.network.web.https.certManager.clusterIssuerNameClusterIssuer type to be used to issue an SSL certificate. The following types are currently available:
letsencrypt,letsencrypt-staging, andselfsigned, but you can also specify a custom type as well.Default:
letsencrypt
-
-
objectspec.network.web.https.customCertificateParameters for a custom certificate usage.
-
stringspec.network.web.https.customCertificate.secretName
Name of a Secret in the
d8-codenamespace to be used for the Code web UI.The Secret must correspond with the
kubernetes.io/tlsformat.
-
-
stringspec.network.web.https.mode
HTTPS mode:
CertManager: The web UI is accessed over HTTPS using a certificate obtained from a ClusterIssuer specified in thecertManager.clusterIssuerNameparameter.CustomCertificate: The web UI is accessed over HTTPS using a certificate from thed8-codenamespace.
Default:
CertManagerAllowed values:
CertManager,CustomCertificate
-
-
-
-
objectspec.placementCR component placement settings.
Default:
{}-
booleanspec.placement.dedicated
Lets you define control over the placement of the Code module on specific nodes. If enabled, Code components are placed on nodes labeled with
node-role.deckhouse.io/code=.For details about managing placement of components, refer to the section about Deckhouse configuration.
Default:
true
-
-
objectspec.scalingScaling-related configurations
Default:
{}-
booleanspec.scaling.highAvailabilityEnable the High Availability (HA) mode.
Default:
false -
integerspec.scaling.targetUserCountEstimated number of the module users.
Default:
100Allowed values:
10,100,300,500,1000
-
-
objectspec.storages
Required value
Configuration of storages used by Code. At the moment, only external storages are supported.-
objectspec.storages.postgres
Required value
PostgreSQL database connection settings.-
objectspec.storages.postgres.externalExternal PostgreSQL database connection settings.
-
stringspec.storages.postgres.external.database
Required value
Main database name. -
stringspec.storages.postgres.external.host
Required value
IP address or domain name of the PostgreSQL server.Default:
localhost -
stringspec.storages.postgres.external.passwordPostgreSQL user password.
-
integerspec.storages.postgres.external.portPort for connecting to the PostgreSQL server.
Default:
5432 -
stringspec.storages.postgres.external.praefectDatabasePostgreSQL database name used for Praefect.
Default:
-
stringspec.storages.postgres.external.praefectPasswordPostgreSQL user password for accessing Praefect.
-
stringspec.storages.postgres.external.praefectUsernamePostgreSQL username for accessing Praefect.
Default:
postgres -
stringspec.storages.postgres.external.serverCACA certificate for the PostgreSQL server.
-
stringspec.storages.postgres.external.sslModePriority of the SSL connection to the PostgreSQL server through TCP/IP.
Default:
preferAllowed values:
allow,prefer,require,verify-ca,verify-full -
stringspec.storages.postgres.external.username
Required value
PostgreSQL user password.Default:
postgres
-
-
stringspec.storages.postgres.modeDatabase type.
Allowed values:
Internal,External
-
-
objectspec.storages.redis
Required value
Redis connection settings.-
objectspec.storages.redis.externalExternal Redis connection settings.
-
objectspec.storages.redis.external.auth
Required value
Authentication settings for connecting to Redis. for Redis.-
booleanspec.storages.redis.external.auth.enabled
Required value
Enable Redis authentication.Default:
false -
stringspec.storages.redis.external.auth.passwordRedis user password when authentication is enabled.
-
stringspec.storages.redis.external.auth.usernameRedis username when authentication is enabled
-
-
stringspec.storages.redis.external.hostRedis server domain name or IP address. Not required if Sentinel is used.
Default:
-
stringspec.storages.redis.external.masterNameMaster node name for the Sentinel cluster in Redis.
-
integerspec.storages.redis.external.portRedis server connection port.
Default:
6379 -
stringspec.storages.redis.external.schemeRedis server connection scheme.
Default:
redisAllowed values:
redis,rediss,tcp -
array of objectsspec.storages.redis.external.sentinels
-
stringspec.storages.redis.external.sentinels.host
-
integerspec.storages.redis.external.sentinels.port
-
-
stringspec.storages.redis.external.serverCACA certificate for connecting to the Redis server.
-
-
stringspec.storages.redis.mode
Required value
Redis type.Allowed values:
Internal,External
-
-
objectspec.storages.s3
Required value
S3 storage connection settings.-
objectspec.storages.s3.bucketNamesList of “key-value” pairs naming all required buckets.
Default:
{}-
stringspec.storages.s3.bucketNames.artifactsName of the bucket for artifact storage.
Default:
d8-code-artifacts -
stringspec.storages.s3.bucketNames.ciSecureFilesName of the bucket for storing secure CI files.
Default:
d8-code-ci-secure-files -
stringspec.storages.s3.bucketNames.dependencyProxyName of the bucket for storing artifacts of the dependency proxy.
Default:
d8-code-dependency-proxy -
stringspec.storages.s3.bucketNames.externalDiffsName of the bucket for storing Merge Request diff files.
Default:
d8-code-mr-diffs -
stringspec.storages.s3.bucketNames.lfsName of the bucket for storing Git LFS data.
Default:
d8-code-git-lfs -
stringspec.storages.s3.bucketNames.packagesName of the bucket for storing packages.
Default:
d8-code-packages -
stringspec.storages.s3.bucketNames.terraformStateName of the bucket for storing Terraform state information.
Default:
d8-code-terraform-state -
stringspec.storages.s3.bucketNames.uploadsName of the bucket for storing uploaded files.
Default:
d8-code-uploads
-
-
objectspec.storages.s3.externalExternal S3 storage settings.
-
stringspec.storages.s3.external.accessKey
Required value
S3 bucket access key. -
stringspec.storages.s3.external.endpoint
Custom S3-compatible storage service endpoint to use for requests.
If the schema (
http://orhttps://) is not explicitly provided, the system will default to usinghttps://. For example, an endpoint specified ass3.example.comwill be automatically interpreted ashttps://s3.example.com.Default:
-
stringspec.storages.s3.external.provider
Required value
S3 storage cloud provider. For storage in a local environment, useGeneric.Allowed values:
Generic,YCloud -
booleanspec.storages.s3.external.proxyDownloadEnable the proxy for all downloads via Code instead of direct downloads from S3 buckets.
Default:
true -
stringspec.storages.s3.external.regionS3 bucket region.
Default:
-
stringspec.storages.s3.external.secretKey
Required value
Secret key for accessing the S3 buckets. -
objectspec.storages.s3.external.storageOptions
-
stringspec.storages.s3.external.storageOptions.serverSideEncryptionS3 bucket encryption mode.
Allowed values:
,AES256,AwsKms -
stringspec.storages.s3.external.storageOptions.serverSideEncryptionKmsKeyIdAmazon Resource Name (ARN) of the KMS key. Only needed when
AwsKmsis used inserverSideEncryption.
-
-
-
stringspec.storages.s3.mode
Default:
ExternalAllowed values:
Internal,External
-
-
-