Skip to main content

Platform Application Reference

Auto-generated derived type for PlatformApplicationSpec via CustomResource

NameTypeDescriptionRequired
apiVersionstringmeta.p6m.dev/v1alpha1true
kindstringPlatformApplicationtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
true
statusobject
false

spec

NameTypeDescriptionRequired
autoscalingobject

Horizontal Pod Autoscaling (HPA) and KEDA trigger configuration. HPA uses a hardcoded CPU utilization threshold of 80%. Optional KEDA triggers can be used for alternative scaling metrics (e.g., cron-based scaling).

false
configmap[string]string

Environment variables to inject into the pod. Specified as key-value pairs (e.g., "KEY: value"). These are injected directly into the container environment.

false
deploymentobject

Kubernetes deployment configuration including container image, ports, readiness probes, and resource requests/limits.

false
managedResources[]object

RESERVED: Resources that will be created and managed by Crossplane compositions owned by this application. The operator will create the Crossplane claims and manage their lifecycle alongside this application.

false
networkingobject

Networking configuration including ingress, inbound/outbound traffic policies, and CDN settings.

false
resourcesmap[string][]object

Cloud resources that the application will be granted access to via IAM policies. Any resources provisioned with Crossplane compositions can be referenced here. Note: this only grants access to existing resources and does not create them. Resource creation must be done via Crossplane compositions separately. Each composition has different accesses available—refer to the composition documentation. Special case: specify "crdb" as the key to request a CockroachDB database without needing to specify accesses.

false
rolloutsobject

ArgoCD Rollouts configuration for advanced deployment strategies. Not currently implemented.

false
secrets[]object

Secrets from the cloud secret store (e.g., AWS Secrets Manager, Azure Key Vault) that will be synced as Kubernetes secrets and mounted into the pod as environment variables. Each secret is stored in the cloud provider as key-value pairs and will be injected into the pod with the key as the environment variable name.

false
workloadSelectorsobject

Node selectors to restrict where the application can be deployed. Defaults to supporting both amd64 and arm64 architectures. If not specified, the application will be scheduled on any available compatible node.


Default: map[kubernetes.io/architectures:amd64,arm64]

false

spec.autoscaling

↩ Parent

Horizontal Pod Autoscaling (HPA) and KEDA trigger configuration. HPA uses a hardcoded CPU utilization threshold of 80%. Optional KEDA triggers can be used for alternative scaling metrics (e.g., cron-based scaling).

NameTypeDescriptionRequired
cpuThresholdPercentageinteger

RESERVED: CPU utilization threshold percentage for scaling. Not currently implemented; HPA uses a hardcoded 80% CPU utilization threshold instead. Valid range: 1-100%.


Format: int32
Minimum: 1
Maximum: 100

false
enabledboolean

Enable Horizontal Pod Autoscaling (HPA) or KEDA-based scaling. Defaults to false. When enabled with no triggers specified, uses HPA with hardcoded 80% CPU utilization threshold.

false
maxReplicasinteger

Maximum number of pod replicas the autoscaler can create. Defaults to 10 if not specified. Must be >= 1.


Format: int32
Minimum: 1

false
memoryThresholdPercentageinteger

RESERVED: Memory utilization threshold percentage for scaling. Not currently implemented; use KEDA triggers for memory-based scaling instead. Valid range: 1-100%.


Format: int32
Minimum: 1
Maximum: 100

false
minReplicasinteger

Minimum number of pod replicas to maintain. Defaults to 2 if not specified. Must be >= 0.


Format: int32
Minimum: 0

false
triggers[]object

KEDA scaling triggers for custom metrics (e.g., cron-based scaling). See https://keda.sh/docs/2.13/scalers/cron/ for supported trigger types and configuration.

false

spec.autoscaling.triggers[index]

↩ Parent
NameTypeDescriptionRequired
metadatamap[string]string
true
typestring
true

spec.deployment

↩ Parent

Kubernetes deployment configuration including container image, ports, readiness probes, and resource requests/limits.

NameTypeDescriptionRequired
imagestring

Container image URI (including registry). Typically set to use a mutable tag like "latest" and CI/CD systems override this with specific version tags for deployments.

true
ports[]object

List of ports exposed by the container. Each port requires a port number and protocol type (TCP, UDP, HTTP, or HTTPS).

false
readOnlyRootFilesystemboolean

Whether the container's root filesystem should be mounted as read-only. Improves security by preventing filesystem modifications. Temporary storage (/tmp, /var/tmp) will still be writable.

false
readinessProbeobject

HTTP endpoint configuration for Kubernetes readiness probes. The container must return HTTP 200 on the specified path for the pod to be considered ready to receive traffic.

false
resourcesobject

Kubernetes resource requests and limits (CPU, memory, and GPUs). Requests are guaranteed resources; limits prevent the container from exceeding those amounts.

false

spec.deployment.ports[index]

↩ Parent
NameTypeDescriptionRequired
portinteger

Port number on the container (1-65535)


Format: int32
Minimum: 1
Maximum: 65535

true
protocolstring

Protocol for the port, examples: TCP, UDP, HTTP, HTTPS

true

spec.deployment.readinessProbe

↩ Parent

HTTP endpoint configuration for Kubernetes readiness probes. The container must return HTTP 200 on the specified path for the pod to be considered ready to receive traffic.

NameTypeDescriptionRequired
pathstring

HTTP path for the readiness check (e.g., "/health" or "/status"). The call must respond with HTTP 200 to be considered ready.

true
portinteger

Port number on the container to check for readiness (1-65535; must match one of the declared ports)


Format: int32
Minimum: 1
Maximum: 65535

true

spec.deployment.resources

↩ Parent

Kubernetes resource requests and limits (CPU, memory, and GPUs). Requests are guaranteed resources; limits prevent the container from exceeding those amounts.

NameTypeDescriptionRequired
limitsobject

Maximum resource allocation for the container. Kubernetes will kill the container if it exceeds these limits. Requires requests to be set. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

false
requestsobject

Guaranteed resource allocation reserved for the container on the node. The scheduler uses this to determine pod placement. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

false

spec.deployment.resources.limits

↩ Parent

Maximum resource allocation for the container. Kubernetes will kill the container if it exceeds these limits. Requires requests to be set. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

NameTypeDescriptionRequired
cpustring

CPU resources in Kubernetes format (e.g., "500m" for 500 millicores, "1" for 1 core). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu

false
gpustring

GPU resources (e.g., "1" for 1 GPU). GPU node availability depends on your cluster configuration.

false
memorystring

Memory resources in Kubernetes format (e.g., "128Mi" for 128 mebibytes, "1Gi" for 1 gibibyte). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory

false

spec.deployment.resources.requests

↩ Parent

Guaranteed resource allocation reserved for the container on the node. The scheduler uses this to determine pod placement. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

NameTypeDescriptionRequired
cpustring

CPU resources in Kubernetes format (e.g., "500m" for 500 millicores, "1" for 1 core). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu

false
gpustring

GPU resources (e.g., "1" for 1 GPU). GPU node availability depends on your cluster configuration.

false
memorystring

Memory resources in Kubernetes format (e.g., "128Mi" for 128 mebibytes, "1Gi" for 1 gibibyte). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory

false

spec.managedResources[index]

↩ Parent
NameTypeDescriptionRequired
classstring

Crossplane composition class (category). Examples: "default", "premium", "minimal". Specific values depend on available compositions in your cluster.

true
typestring

Crossplane composition type (resource type to create). Examples: "postgres", "mysql", "s3bucket", "storage-account". Must match a valid XRD (Composite Resource Definition) available in your cluster.

true
metadataobject

Optional Kubernetes metadata (labels, annotations) to apply to the created resource and its claim.

false

spec.managedResources[index].metadata

↩ Parent

Optional Kubernetes metadata (labels, annotations) to apply to the created resource and its claim.

NameTypeDescriptionRequired
annotationsmap[string]string

Annotations to apply to the resource (key-value metadata, not used for selection)

true
labelsmap[string]string

Labels to apply to the resource (key-value metadata used for selection and organization)

true

spec.networking

↩ Parent

Networking configuration including ingress, inbound/outbound traffic policies, and CDN settings.

NameTypeDescriptionRequired
inboundobject

Inbound access policy: list of services allowed to access this application. Used to generate Istio/network policies. If not specified, all traffic is allowed.

false
ingressobject

Ingress configuration for exposing the application to external traffic (internet or internal networks)

false
outboundobject

Outbound access policy: list of services and external hosts this application is allowed to access. Used to generate Istio/network policies. If not specified, all traffic is allowed.

false

spec.networking.inbound

↩ Parent

Inbound access policy: list of services allowed to access this application. Used to generate Istio/network policies. If not specified, all traffic is allowed.

NameTypeDescriptionRequired
services[]object

List of services allowed to access this application. Generates Istio/network policies to enforce access. If not specified, all inbound traffic to the service is allowed.

false

spec.networking.inbound.services[index]

↩ Parent
NameTypeDescriptionRequired
namestring

Kubernetes service name allowed to access this application

true
namespacestring

Kubernetes namespace of the source service. Should be explicitly specified; if omitted, will use the service name as namespace as well.

false
portinteger

Port on this application to allow the service to access (1-65535). If not specified, all ports are allowed.


Format: int32
Minimum: 1
Maximum: 65535

false

spec.networking.ingress

↩ Parent

Ingress configuration for exposing the application to external traffic (internet or internal networks)

NameTypeDescriptionRequired
annotationsmap[string]string

Additional AWS ALB (Application Load Balancer) annotations for the Kubernetes Ingress resource. Only applied when using AWS cloud provider with Kubernetes ingress type (not Istio/Gateway API). See: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/

false
authenticationenum

RESERVED: Authentication requirement for standard methods (Required or Anonymous). Not currently implemented. Use jwt_authentication: true for JWT-based authentication. When neither field is specified, the ingress allows anonymous access.


Enum: Required, Anonymous

false
cdnobject

CDN configuration for caching and serving content globally. When enabled, requests route through the CDN before reaching the origin.

false
certificateobject

Certificate configuration for custom gateway (TLS/SSL). Required when using a custom domain or custom gateway.

false
enabledboolean

Whether to expose the application externally via an ingress/load balancer. When disabled, the application is only accessible within the cluster.

false
gatewaystring

Specific Istio gateway to use for this ingress, or omit to use the cluster default gateway. Used to route through custom gateways.

false
hostnamePrefixstring

Prefix to prepend to the auto-generated default hostname (e.g., "staging" + "myapp" = "staging-myapp.platform.domain"). Ignored if custom hostnames are specified.

false
hostnames[]string

List of fully qualified domain names (FQDNs) to register for this application (e.g., ["app.example.com", "app-alt.example.com"]). Requires DNS records to be created externally.

false
internalboolean

Whether the application should only be internally accessible via the ingress (only applies with custom gateway). When true, no external IP is assigned.

false
jwtAuthenticationboolean

Enable JWT token authentication. Requests must include valid JWT tokens in the Authorization header.

false
oidcboolean

Enable OpenID Connect (OIDC) authentication. Requests must provide valid OIDC credentials to access the application.

false
originRequestRestrictionobject

Restrictions on origin requests. HTTP requests to the origin will return a 404 unless they match the specified headers. Used to prevent direct backend access.

false
pathstring

Path prefix to forward to the backend (e.g., "/api" will route "/api/*" to the application). Used for routing to specific endpoints.

false
pathRewritestring

Path to rewrite requests to before sending to the backend (e.g., "/api" -> "/" will strip the prefix). Used for path manipulation.

false
tldstring

Custom top-level domain (TLD) for this application instead of the cluster default (e.g., "mycompany.com"). Only applies when using custom gateway.

false
typeenum

Ingress implementation type: "istio" (Istio VirtualService/Gateway) or "kubernetes" (standard Kubernetes Ingress). Defaults based on cluster configuration.


Enum: istio, kubernetes

false
visibilityenum

Load balancer visibility: PublicIP (internet-routable) or PrivateIP (internal only). Defaults based on cluster configuration.


Enum: PublicIP, PrivateIP

false

spec.networking.ingress.cdn

↩ Parent

CDN configuration for caching and serving content globally. When enabled, requests route through the CDN before reaching the origin.

NameTypeDescriptionRequired
domains[]string

DEPRECATED: Use PlatformEdge.meta.p6m.dev CRD instead. List of domains that should be served via the CDN (e.g., ["app.example.com"]).

false
enabledboolean

Whether CDN caching is enabled for this ingress. Set to true to cache responses or false for direct origin access. If not specified, defaults based on 'required' field.

false
requiredboolean

Whether CDN is required for this ingress (forces CDN to be active even if 'enabled' is not set). Useful for ensuring CDN is always in the path.

false
wafIdstring

DEPRECATED: Use PlatformEdge.meta.p6m.dev CRD instead. AWS WAF (Web Application Firewall) ID to attach to the CloudFront distribution for security.

false
zoneIdstring

DEPRECATED: Use PlatformEdge.meta.p6m.dev CRD instead. AWS Route53 hosted zone ID for managing DNS records for CDN domains.

false

spec.networking.ingress.certificate

↩ Parent

Certificate configuration for custom gateway (TLS/SSL). Required when using a custom domain or custom gateway.

NameTypeDescriptionRequired
externalSecretobject

Fetch certificate from cloud provider secret store (AWS Secrets Manager, Azure Key Vault) via ExternalSecrets operator

false
secretRefobject

Reference to an existing Kubernetes secret containing the TLS certificate and private key

false

spec.networking.ingress.certificate.externalSecret

↩ Parent

Fetch certificate from cloud provider secret store (AWS Secrets Manager, Azure Key Vault) via ExternalSecrets operator

NameTypeDescriptionRequired
formatenum

Format of the certificate: 'pkcs12' (binary format) or 'pem' (text format). Determines how the certificate is extracted and converted.


Enum: pkcs12, pem

true
secretNamestring

Name of the secret in the cloud provider (AWS Secrets Manager, Azure Key Vault, etc.)

true
secretStorestring

Name of an existing ExternalSecrets SecretStore resource in the cluster that knows how to authenticate with your cloud provider

true

spec.networking.ingress.certificate.secretRef

↩ Parent

Reference to an existing Kubernetes secret containing the TLS certificate and private key

NameTypeDescriptionRequired
namestring

Name of the Kubernetes secret containing the TLS certificate and key (usually in tls.crt and tls.key keys)

true
namespacestring

Namespace where the secret is located. Defaults to the application's namespace if not specified.

false

spec.networking.ingress.originRequestRestriction

↩ Parent

Restrictions on origin requests. HTTP requests to the origin will return a 404 unless they match the specified headers. Used to prevent direct backend access.

NameTypeDescriptionRequired
headers[]object

HTTP headers that must be present and match for the request to reach the origin. Requests without matching headers receive HTTP 404. Useful for protecting the origin from direct access.

false

spec.networking.ingress.originRequestRestriction.headers[index]

↩ Parent
NameTypeDescriptionRequired
namestring

HTTP header name to match (e.g., "Authorization", "X-Custom-Header")

true
valuestring

Expected header value (exact string or regex pattern depending on type)

true
typeenum

Match type: "Exact" for exact string match or "Regex" for regular expression pattern matching. Default: Exact


Enum: Exact, Regex
Default: Exact

false

spec.networking.outbound

↩ Parent

Outbound access policy: list of services and external hosts this application is allowed to access. Used to generate Istio/network policies. If not specified, all traffic is allowed.

NameTypeDescriptionRequired
external[]object

List of external services (outside the cluster) this application is allowed to access by hostname and port. Generates ServiceEntry and network policies.

false
services[]object

List of in-cluster services this application is allowed to access. Generates Istio/network policies to enforce access. If not specified, all outbound traffic is allowed.

false

spec.networking.outbound.external[index]

↩ Parent
NameTypeDescriptionRequired
hoststring

Hostname or FQDN of the external service this application can access (e.g., "api.example.com", "database.provider.com")

true
portinteger

Port number on the external service to allow access to (1-65535)


Format: int32
Minimum: 1
Maximum: 65535

true
protocolenum

Protocol of the external service connection (HTTP, HTTPS, gRPC, TCP, TLS, etc.). Affects how the connection is handled by the service mesh.


Enum: HTTP, HTTPS, GRPC, HTTP2, MONGO, TCP, TLS

false

spec.networking.outbound.services[index]

↩ Parent
NameTypeDescriptionRequired
namestring

Kubernetes service name this application is allowed to access

true
namespacestring

Kubernetes namespace of the destination service. If not specified, assumes the same namespace as this application.

false
portinteger

Port on the destination service to allow access to (1-65535). If not specified, all ports are allowed.


Format: int32
Minimum: 1
Maximum: 65535

false

spec.resources[key][index]

↩ Parent
NameTypeDescriptionRequired
namestring

Name of the cloud resource to grant access to. Must match an existing resource provisioned in your cloud environment.

true
accesses[]string

List of access permissions to grant on this resource. Available access types depend on the specific Crossplane composition. Common examples include "read", "write", "admin". Leave empty for default access level defined by the composition.

false

spec.rollouts

↩ Parent

ArgoCD Rollouts configuration for advanced deployment strategies. Not currently implemented.

NameTypeDescriptionRequired
enabledboolean

Enable ArgoCD Rollouts for advanced deployment strategies (canary, blue-green). Not currently implemented.

false
strategyenum

Rollout strategy: Canary or BlueGreen. Not currently implemented.


Enum: canary, blueGreen

false

spec.secrets[index]

↩ Parent
NameTypeDescriptionRequired
namestring

Name of the secret in the cloud secret store (e.g., AWS Secrets Manager, Azure Key Vault). The secret must be stored as key-value pairs and will be injected into the pod as environment variables (keys become variable names).

true
admins[]string

Optional list of user identifiers (e.g., email addresses) who can administer/rotate this secret in the cloud secret store.

false

spec.workloadSelectors

↩ Parent

Node selectors to restrict where the application can be deployed. Defaults to supporting both amd64 and arm64 architectures. If not specified, the application will be scheduled on any available compatible node.

NameTypeDescriptionRequired
kubernetes.io/architecturesstring

Comma-separated list of CPU architectures this application can run on. Defaults to "amd64,arm64" (both Intel/AMD and ARM64 architectures). This value is matched against the kubernetes.io/arch node label during pod scheduling.


Default: amd64,arm64

false

status

NameTypeDescriptionRequired
cdnmap[string]object
false
cloudobject
false
conditions[]object
false
managedResources[]object
false
phaseenum

Enum: pending, progressing, ready, failed

false
runStudioCdnobject
false

status.cdn[key]

↩ Parent
NameTypeDescriptionRequired
distributionIdstring
false
dnsConfigurationobject
false

status.cdn[key].dnsConfiguration

↩ Parent
NameTypeDescriptionRequired
domains[]string
false

status.cloud

↩ Parent
NameTypeDescriptionRequired
principalIdstring
false
rolestring
false

status.conditions[index]

↩ Parent
NameTypeDescriptionRequired
statusstring
true
typestring
true
lastTransitionTimestring
false
messagestring
false
reasonstring
false

status.managedResources[index]

↩ Parent

ObjectReference contains enough information to let you inspect or modify the referred object.

NameTypeDescriptionRequired
apiVersionstring

API version of the referent.

false
fieldPathstring

If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.

false
kindstring

Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

false
messagestring
false
namestring

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

false
namespacestring

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

false
phaseenum

Enum: pending, progressing, ready, failed

false
resourceVersionstring

Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency

false
uidstring

UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids

false

status.runStudioCdn

↩ Parent
NameTypeDescriptionRequired
configMapstring
false
invalidations[]object
false

status.runStudioCdn.invalidations[index]

↩ Parent
NameTypeDescriptionRequired
observedGenerationinteger

Format: int64

false
timestampstring
false