Platform Application Reference
Auto-generated derived type for PlatformApplicationSpec via CustomResource
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | meta.p6m.dev/v1alpha1 | true |
| kind | string | PlatformApplication | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | true | |
| status | object | false |
spec
| Name | Type | Description | Required |
|---|---|---|---|
| autoscaling | object | Horizontal Pod Autoscaling (HPA) and KEDA trigger configuration. HPA uses a hardcoded CPU utilization threshold of 80%. Optional KEDA triggers can be used for alternative scaling metrics (e.g., cron-based scaling). | false |
| config | map[string]string | Environment variables to inject into the pod. Specified as key-value pairs (e.g., "KEY: value"). These are injected directly into the container environment. | false |
| deployment | object | Kubernetes deployment configuration including container image, ports, readiness probes, and resource requests/limits. | false |
| managedResources | []object | RESERVED: Resources that will be created and managed by Crossplane compositions owned by this application. The operator will create the Crossplane claims and manage their lifecycle alongside this application. | false |
| networking | object | Networking configuration including ingress, inbound/outbound traffic policies, and CDN settings. | false |
| resources | map[string][]object | Cloud resources that the application will be granted access to via IAM policies. Any resources provisioned with Crossplane compositions can be referenced here. Note: this only grants access to existing resources and does not create them. Resource creation must be done via Crossplane compositions separately. Each composition has different accesses available—refer to the composition documentation. Special case: specify "crdb" as the key to request a CockroachDB database without needing to specify accesses. | false |
| rollouts | object | ArgoCD Rollouts configuration for advanced deployment strategies. Not currently implemented. | false |
| secrets | []object | Secrets from the cloud secret store (e.g., AWS Secrets Manager, Azure Key Vault) that will be synced as Kubernetes secrets and mounted into the pod as environment variables. Each secret is stored in the cloud provider as key-value pairs and will be injected into the pod with the key as the environment variable name. | false |
| workloadSelectors | object | Node selectors to restrict where the application can be deployed. Defaults to supporting both amd64 and arm64 architectures. If not specified, the application will be scheduled on any available compatible node. Default: map[kubernetes.io/architectures:amd64,arm64] | false |
spec.autoscaling
↩ ParentHorizontal Pod Autoscaling (HPA) and KEDA trigger configuration. HPA uses a hardcoded CPU utilization threshold of 80%. Optional KEDA triggers can be used for alternative scaling metrics (e.g., cron-based scaling).
| Name | Type | Description | Required |
|---|---|---|---|
| cpuThresholdPercentage | integer | RESERVED: CPU utilization threshold percentage for scaling. Not currently implemented; HPA uses a hardcoded 80% CPU utilization threshold instead. Valid range: 1-100%. Format: int32 | false |
| enabled | boolean | Enable Horizontal Pod Autoscaling (HPA) or KEDA-based scaling. Defaults to false. When enabled with no triggers specified, uses HPA with hardcoded 80% CPU utilization threshold. | false |
| maxReplicas | integer | Maximum number of pod replicas the autoscaler can create. Defaults to 10 if not specified. Must be >= 1. Format: int32 | false |
| memoryThresholdPercentage | integer | RESERVED: Memory utilization threshold percentage for scaling. Not currently implemented; use KEDA triggers for memory-based scaling instead. Valid range: 1-100%. Format: int32 | false |
| minReplicas | integer | Minimum number of pod replicas to maintain. Defaults to 2 if not specified. Must be >= 0. Format: int32 | false |
| triggers | []object | KEDA scaling triggers for custom metrics (e.g., cron-based scaling). See https://keda.sh/docs/2.13/scalers/cron/ for supported trigger types and configuration. | false |
spec.autoscaling.triggers[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| metadata | map[string]string | true | |
| type | string | true |
spec.deployment
↩ ParentKubernetes deployment configuration including container image, ports, readiness probes, and resource requests/limits.
| Name | Type | Description | Required |
|---|---|---|---|
| image | string | Container image URI (including registry). Typically set to use a mutable tag like "latest" and CI/CD systems override this with specific version tags for deployments. | true |
| ports | []object | List of ports exposed by the container. Each port requires a port number and protocol type (TCP, UDP, HTTP, or HTTPS). | false |
| readOnlyRootFilesystem | boolean | Whether the container's root filesystem should be mounted as read-only. Improves security by preventing filesystem modifications. Temporary storage (/tmp, /var/tmp) will still be writable. | false |
| readinessProbe | object | HTTP endpoint configuration for Kubernetes readiness probes. The container must return HTTP 200 on the specified path for the pod to be considered ready to receive traffic. | false |
| resources | object | Kubernetes resource requests and limits (CPU, memory, and GPUs). Requests are guaranteed resources; limits prevent the container from exceeding those amounts. | false |
spec.deployment.ports[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| port | integer | Port number on the container (1-65535) Format: int32 | true |
| protocol | string | Protocol for the port, examples: TCP, UDP, HTTP, HTTPS | true |
spec.deployment.readinessProbe
↩ ParentHTTP endpoint configuration for Kubernetes readiness probes. The container must return HTTP 200 on the specified path for the pod to be considered ready to receive traffic.
| Name | Type | Description | Required |
|---|---|---|---|
| path | string | HTTP path for the readiness check (e.g., "/health" or "/status"). The call must respond with HTTP 200 to be considered ready. | true |
| port | integer | Port number on the container to check for readiness (1-65535; must match one of the declared ports) Format: int32 | true |
spec.deployment.resources
↩ ParentKubernetes resource requests and limits (CPU, memory, and GPUs). Requests are guaranteed resources; limits prevent the container from exceeding those amounts.
| Name | Type | Description | Required |
|---|---|---|---|
| limits | object | Maximum resource allocation for the container. Kubernetes will kill the container if it exceeds these limits. Requires requests to be set. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | false |
| requests | object | Guaranteed resource allocation reserved for the container on the node. The scheduler uses this to determine pod placement. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | false |
spec.deployment.resources.limits
↩ ParentMaximum resource allocation for the container. Kubernetes will kill the container if it exceeds these limits. Requires requests to be set. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
| Name | Type | Description | Required |
|---|---|---|---|
| cpu | string | CPU resources in Kubernetes format (e.g., "500m" for 500 millicores, "1" for 1 core). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu | false |
| gpu | string | GPU resources (e.g., "1" for 1 GPU). GPU node availability depends on your cluster configuration. | false |
| memory | string | Memory resources in Kubernetes format (e.g., "128Mi" for 128 mebibytes, "1Gi" for 1 gibibyte). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory | false |
spec.deployment.resources.requests
↩ ParentGuaranteed resource allocation reserved for the container on the node. The scheduler uses this to determine pod placement. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
| Name | Type | Description | Required |
|---|---|---|---|
| cpu | string | CPU resources in Kubernetes format (e.g., "500m" for 500 millicores, "1" for 1 core). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu | false |
| gpu | string | GPU resources (e.g., "1" for 1 GPU). GPU node availability depends on your cluster configuration. | false |
| memory | string | Memory resources in Kubernetes format (e.g., "128Mi" for 128 mebibytes, "1Gi" for 1 gibibyte). See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory | false |
spec.managedResources[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| class | string | Crossplane composition class (category). Examples: "default", "premium", "minimal". Specific values depend on available compositions in your cluster. | true |
| type | string | Crossplane composition type (resource type to create). Examples: "postgres", "mysql", "s3bucket", "storage-account". Must match a valid XRD (Composite Resource Definition) available in your cluster. | true |
| metadata | object | Optional Kubernetes metadata (labels, annotations) to apply to the created resource and its claim. | false |
spec.managedResources[index].metadata
↩ ParentOptional Kubernetes metadata (labels, annotations) to apply to the created resource and its claim.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Annotations to apply to the resource (key-value metadata, not used for selection) | true |
| labels | map[string]string | Labels to apply to the resource (key-value metadata used for selection and organization) | true |
spec.networking
↩ ParentNetworking configuration including ingress, inbound/outbound traffic policies, and CDN settings.
| Name | Type | Description | Required |
|---|---|---|---|
| inbound | object | Inbound access policy: list of services allowed to access this application. Used to generate Istio/network policies. If not specified, all traffic is allowed. | false |
| ingress | object | Ingress configuration for exposing the application to external traffic (internet or internal networks) | false |
| outbound | object | Outbound access policy: list of services and external hosts this application is allowed to access. Used to generate Istio/network policies. If not specified, all traffic is allowed. | false |
spec.networking.inbound
↩ ParentInbound access policy: list of services allowed to access this application. Used to generate Istio/network policies. If not specified, all traffic is allowed.
| Name | Type | Description | Required |
|---|---|---|---|
| services | []object | List of services allowed to access this application. Generates Istio/network policies to enforce access. If not specified, all inbound traffic to the service is allowed. | false |
spec.networking.inbound.services[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Kubernetes service name allowed to access this application | true |
| namespace | string | Kubernetes namespace of the source service. Should be explicitly specified; if omitted, will use the service name as namespace as well. | false |
| port | integer | Port on this application to allow the service to access (1-65535). If not specified, all ports are allowed. Format: int32 | false |
spec.networking.ingress
↩ ParentIngress configuration for exposing the application to external traffic (internet or internal networks)
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Additional AWS ALB (Application Load Balancer) annotations for the Kubernetes Ingress resource. Only applied when using AWS cloud provider with Kubernetes ingress type (not Istio/Gateway API). See: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/ | false |
| authentication | enum | RESERVED: Authentication requirement for standard methods (Required or Anonymous). Not currently implemented. Use jwt_authentication: true for JWT-based authentication. When neither field is specified, the ingress allows anonymous access. Enum: Required, Anonymous | false |
| cdn | object | CDN configuration for caching and serving content globally. When enabled, requests route through the CDN before reaching the origin. | false |
| certificate | object | Certificate configuration for custom gateway (TLS/SSL). Required when using a custom domain or custom gateway. | false |
| enabled | boolean | Whether to expose the application externally via an ingress/load balancer. When disabled, the application is only accessible within the cluster. | false |
| gateway | string | Specific Istio gateway to use for this ingress, or omit to use the cluster default gateway. Used to route through custom gateways. | false |
| hostnamePrefix | string | Prefix to prepend to the auto-generated default hostname (e.g., "staging" + "myapp" = "staging-myapp.platform.domain"). Ignored if custom hostnames are specified. | false |
| hostnames | []string | List of fully qualified domain names (FQDNs) to register for this application (e.g., ["app.example.com", "app-alt.example.com"]). Requires DNS records to be created externally. | false |
| internal | boolean | Whether the application should only be internally accessible via the ingress (only applies with custom gateway). When true, no external IP is assigned. | false |
| jwtAuthentication | boolean | Enable JWT token authentication. Requests must include valid JWT tokens in the Authorization header. | false |
| oidc | boolean | Enable OpenID Connect (OIDC) authentication. Requests must provide valid OIDC credentials to access the application. | false |
| originRequestRestriction | object | Restrictions on origin requests. HTTP requests to the origin will return a 404 unless they match the specified headers. Used to prevent direct backend access. | false |
| path | string | Path prefix to forward to the backend (e.g., "/api" will route "/api/*" to the application). Used for routing to specific endpoints. | false |
| pathRewrite | string | Path to rewrite requests to before sending to the backend (e.g., "/api" -> "/" will strip the prefix). Used for path manipulation. | false |
| tld | string | Custom top-level domain (TLD) for this application instead of the cluster default (e.g., "mycompany.com"). Only applies when using custom gateway. | false |
| type | enum | Ingress implementation type: "istio" (Istio VirtualService/Gateway) or "kubernetes" (standard Kubernetes Ingress). Defaults based on cluster configuration. Enum: istio, kubernetes | false |
| visibility | enum | Load balancer visibility: PublicIP (internet-routable) or PrivateIP (internal only). Defaults based on cluster configuration. Enum: PublicIP, PrivateIP | false |
spec.networking.ingress.cdn
↩ ParentCDN configuration for caching and serving content globally. When enabled, requests route through the CDN before reaching the origin.
| Name | Type | Description | Required |
|---|---|---|---|
| domains | []string | DEPRECATED: Use PlatformEdge.meta.p6m.dev CRD instead. List of domains that should be served via the CDN (e.g., ["app.example.com"]). | false |
| enabled | boolean | Whether CDN caching is enabled for this ingress. Set to true to cache responses or false for direct origin access. If not specified, defaults based on 'required' field. | false |
| required | boolean | Whether CDN is required for this ingress (forces CDN to be active even if 'enabled' is not set). Useful for ensuring CDN is always in the path. | false |
| wafId | string | DEPRECATED: Use PlatformEdge.meta.p6m.dev CRD instead. AWS WAF (Web Application Firewall) ID to attach to the CloudFront distribution for security. | false |
| zoneId | string | DEPRECATED: Use PlatformEdge.meta.p6m.dev CRD instead. AWS Route53 hosted zone ID for managing DNS records for CDN domains. | false |
spec.networking.ingress.certificate
↩ ParentCertificate configuration for custom gateway (TLS/SSL). Required when using a custom domain or custom gateway.
| Name | Type | Description | Required |
|---|---|---|---|
| externalSecret | object | Fetch certificate from cloud provider secret store (AWS Secrets Manager, Azure Key Vault) via ExternalSecrets operator | false |
| secretRef | object | Reference to an existing Kubernetes secret containing the TLS certificate and private key | false |
spec.networking.ingress.certificate.externalSecret
↩ ParentFetch certificate from cloud provider secret store (AWS Secrets Manager, Azure Key Vault) via ExternalSecrets operator
| Name | Type | Description | Required |
|---|---|---|---|
| format | enum | Format of the certificate: 'pkcs12' (binary format) or 'pem' (text format). Determines how the certificate is extracted and converted. Enum: pkcs12, pem | true |
| secretName | string | Name of the secret in the cloud provider (AWS Secrets Manager, Azure Key Vault, etc.) | true |
| secretStore | string | Name of an existing ExternalSecrets SecretStore resource in the cluster that knows how to authenticate with your cloud provider | true |
spec.networking.ingress.certificate.secretRef
↩ ParentReference to an existing Kubernetes secret containing the TLS certificate and private key
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the Kubernetes secret containing the TLS certificate and key (usually in tls.crt and tls.key keys) | true |
| namespace | string | Namespace where the secret is located. Defaults to the application's namespace if not specified. | false |
spec.networking.ingress.originRequestRestriction
↩ ParentRestrictions on origin requests. HTTP requests to the origin will return a 404 unless they match the specified headers. Used to prevent direct backend access.
| Name | Type | Description | Required |
|---|---|---|---|
| headers | []object | HTTP headers that must be present and match for the request to reach the origin. Requests without matching headers receive HTTP 404. Useful for protecting the origin from direct access. | false |
spec.networking.ingress.originRequestRestriction.headers[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| name | string | HTTP header name to match (e.g., "Authorization", "X-Custom-Header") | true |
| value | string | Expected header value (exact string or regex pattern depending on type) | true |
| type | enum | Match type: "Exact" for exact string match or "Regex" for regular expression pattern matching. Default: Exact Enum: Exact, Regex | false |
spec.networking.outbound
↩ ParentOutbound access policy: list of services and external hosts this application is allowed to access. Used to generate Istio/network policies. If not specified, all traffic is allowed.
| Name | Type | Description | Required |
|---|---|---|---|
| external | []object | List of external services (outside the cluster) this application is allowed to access by hostname and port. Generates ServiceEntry and network policies. | false |
| services | []object | List of in-cluster services this application is allowed to access. Generates Istio/network policies to enforce access. If not specified, all outbound traffic is allowed. | false |
spec.networking.outbound.external[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| host | string | Hostname or FQDN of the external service this application can access (e.g., "api.example.com", "database.provider.com") | true |
| port | integer | Port number on the external service to allow access to (1-65535) Format: int32 | true |
| protocol | enum | Protocol of the external service connection (HTTP, HTTPS, gRPC, TCP, TLS, etc.). Affects how the connection is handled by the service mesh. Enum: HTTP, HTTPS, GRPC, HTTP2, MONGO, TCP, TLS | false |
spec.networking.outbound.services[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Kubernetes service name this application is allowed to access | true |
| namespace | string | Kubernetes namespace of the destination service. If not specified, assumes the same namespace as this application. | false |
| port | integer | Port on the destination service to allow access to (1-65535). If not specified, all ports are allowed. Format: int32 | false |
spec.resources[key][index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the cloud resource to grant access to. Must match an existing resource provisioned in your cloud environment. | true |
| accesses | []string | List of access permissions to grant on this resource. Available access types depend on the specific Crossplane composition. Common examples include "read", "write", "admin". Leave empty for default access level defined by the composition. | false |
spec.rollouts
↩ ParentArgoCD Rollouts configuration for advanced deployment strategies. Not currently implemented.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Enable ArgoCD Rollouts for advanced deployment strategies (canary, blue-green). Not currently implemented. | false |
| strategy | enum | Rollout strategy: Canary or BlueGreen. Not currently implemented. Enum: canary, blueGreen | false |
spec.secrets[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the secret in the cloud secret store (e.g., AWS Secrets Manager, Azure Key Vault). The secret must be stored as key-value pairs and will be injected into the pod as environment variables (keys become variable names). | true |
| admins | []string | Optional list of user identifiers (e.g., email addresses) who can administer/rotate this secret in the cloud secret store. | false |
spec.workloadSelectors
↩ ParentNode selectors to restrict where the application can be deployed. Defaults to supporting both amd64 and arm64 architectures. If not specified, the application will be scheduled on any available compatible node.
| Name | Type | Description | Required |
|---|---|---|---|
| kubernetes.io/architectures | string | Comma-separated list of CPU architectures this application can run on. Defaults to "amd64,arm64" (both Intel/AMD and ARM64 architectures). This value is matched against the kubernetes.io/arch node label during pod scheduling. Default: amd64,arm64 | false |
status
| Name | Type | Description | Required |
|---|---|---|---|
| cdn | map[string]object | false | |
| cloud | object | false | |
| conditions | []object | false | |
| managedResources | []object | false | |
| phase | enum | Enum: pending, progressing, ready, failed | false |
| runStudioCdn | object | false |
status.cdn[key]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| distributionId | string | false | |
| dnsConfiguration | object | false |
status.cdn[key].dnsConfiguration
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| domains | []string | false |
status.cloud
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| principalId | string | false | |
| role | string | false |
status.conditions[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| status | string | true | |
| type | string | true | |
| lastTransitionTime | string | false | |
| message | string | false | |
| reason | string | false |
status.managedResources[index]
↩ ParentObjectReference contains enough information to let you inspect or modify the referred object.
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | API version of the referent. | false |
| fieldPath | string | If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. | false |
| kind | string | Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | false |
| message | string | false | |
| name | string | Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names | false |
| namespace | string | Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ | false |
| phase | enum | Enum: pending, progressing, ready, failed | false |
| resourceVersion | string | Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency | false |
| uid | string | UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids | false |
status.runStudioCdn
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string | false | |
| invalidations | []object | false |
status.runStudioCdn.invalidations[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| observedGeneration | integer | Format: int64 | false |
| timestamp | string | false |