apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: helm.sh/resource-policy: keep labels: helm.sh/chart: netbox-enterprise-crds-2.1.0 app.kubernetes.io/managed-by: Helm netboxlabs.com/managed-by: netbox-operator name: netboxenterprises.netboxlabs.com spec: group: netboxlabs.com names: categories: [] kind: NetBoxEnterprise plural: netboxenterprises shortNames: - nbe singular: netboxenterprise scope: Namespaced versions: - additionalPrinterColumns: - description: Whether the cluster is ready jsonPath: .status.ready name: Ready type: boolean - description: License tier jsonPath: .status.license.tier name: Tier type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: Custom resource representing a NetBox Labs Cluster properties: spec: description: NetBoxEnterprise custom resource for declarative NetBox deployments. properties: annotations: additionalProperties: type: string description: Annotations applied to all cluster resources. nullable: true type: object backups: default: false description: |- Enable Velero backups for this cluster. Requires Velero to be installed in the cluster. type: boolean clusterDnsSuffix: description: |- Kubernetes cluster DNS suffix. Most clusters use the default `cluster.local`, but some environments configure a different suffix. All operator-generated FQDNs will use this value. nullable: true type: string copilot: default: awsRegion: us-east-2 databaseUser: copilot enabled: false limits: cpu: 1000 memory: 1024 llmApiKeySecret: copilot-llm-api-key llmApiKeySecretKey: apiKey llmMaxSteps: 20 llmModel: anthropic/claude-sonnet-4-6 llmProvider: anthropic netboxAuthApiTimeout: 5 netboxAuthCacheTtl: 60 netboxAuthCookieName: sessionid redisDb: 2 replicas: 1 resources: cpu: 100 memory: 256 description: |- Copilot AI assistant backend service. When enabled, deploys the Copilot backend and activates the `netbox_copilot` plugin in NetBox. Disabled by default — requires a Kubernetes secret containing a valid LLM API key to be created before enabling. properties: awsCredentialsSecret: description: |- Optional name of a Kubernetes Secret containing explicit AWS credentials for Bedrock. Only used when `llmProvider` is `bedrock`. The secret must contain two keys: `aws_access_key_id` and `aws_secret_access_key`. When omitted, the Copilot backend uses ambient credential resolution (IRSA, instance profile, etc.). When using the KOTS admin console, this secret is provisioned automatically from the AWS Access Key ID and Secret Access Key fields. nullable: true type: string awsRegion: default: us-east-2 description: |- AWS region for Amazon Bedrock (e.g. `us-east-2`). Only used when `llmProvider` is `bedrock`. Sets the `AWS_DEFAULT_REGION` environment variable in the Copilot backend container. type: string databaseUser: default: copilot description: PostgreSQL user for Copilot's database. type: string enabled: default: false description: |- Enable or disable the Copilot backend service. When enabled, the Copilot backend is deployed and the `netbox_copilot` NetBox plugin is activated. Requires a valid LLM API key secret. type: boolean image: description: |- Container image configuration. When not specified, uses the operator's built-in defaults. nullable: true properties: digest: description: Optional image digest for immutable image references. nullable: true type: string pullPolicy: default: IfNotPresent description: Image pull policy (Always, IfNotPresent, Never). enum: - IfNotPresent - Always - Never type: string registry: default: nbe-ecr description: Container registry host or Replicated registry alias. type: string repository: default: netbox_copilot description: Image repository path. type: string tag: default: 1.29.1 description: Image tag. type: string type: object limits: default: cpu: 1000 memory: 1024 description: Resource limits for the Copilot backend container. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object llmApiKeySecret: default: copilot-llm-api-key description: |- Name of the Kubernetes Secret containing the LLM API key. The secret must exist in the same namespace as the NetBoxEnterprise resource. For Anthropic, the secret should contain the API key under `llmApiKeySecretKey`. type: string llmApiKeySecretKey: default: apiKey description: Key within `llmApiKeySecret` that holds the LLM API key value. type: string llmMaxSteps: default: 20 description: Maximum number of LLM reasoning steps per conversation turn. format: uint8 maximum: 255.0 minimum: 0.0 type: integer llmModel: default: anthropic/claude-sonnet-4-6 description: LLM model identifier (provider-prefixed format, e.g. `anthropic/claude-sonnet-4-6`). type: string llmProvider: default: anthropic description: LLM provider to use. enum: - anthropic - bedrock type: string netboxAuthApiTimeout: default: 5 description: Timeout in seconds for NetBox auth API calls. format: uint8 maximum: 255.0 minimum: 0.0 type: integer netboxAuthCacheTtl: default: 60 description: TTL in seconds for caching NetBox auth session validation results. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer netboxAuthCookieName: default: sessionid description: NetBox session cookie name used for authentication. type: string postgres: description: |- External PostgreSQL connection configuration. When specified, Copilot connects to this external database instead of the PGO-managed PostgreSQL cluster. The secret must contain the password. If not specified, uses the PGO-generated secret `{cluster-name}-postgres-pguser-copilot`. nullable: true properties: databaseUrl: description: |- Secret key containing the full `DATABASE_URL` URI (e.g. `postgresql://user:pass@host:5432/db?sslmode=require`). When using the KOTS admin console, this secret is provisioned automatically from the Copilot database fields. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object keychainCaCertificates: description: |- Names of CA certificate secrets in the TLS keychain for verifying the Copilot PostgreSQL server certificate. Required when `sslMode` is `verify-ca` or `verify-full`. The named secrets must be registered in `spec.tlsKeychain.caCertificateSecrets`. Certificates are installed into the system trust store by the `update-ca-certs` init container. items: type: string type: array sslMode: description: |- PostgreSQL SSL connection mode. Controls how SSL/TLS is used when connecting to PostgreSQL. These modes match the libpq `sslmode` parameter values. # Modes | Mode | Description | |------|-------------| | `disable` | No SSL - unencrypted connection | | `allow` | Try non-SSL first, use SSL if server requires it | | `prefer` | Try SSL first, fall back to non-SSL (default for external) | | `require` | Require SSL, but don't verify the server certificate | | `verify-ca` | Require SSL and verify the server certificate is signed by a trusted CA | | `verify-full` | Require SSL, verify CA, and verify the server hostname matches the certificate | # Security Recommendations - For production external databases, use `verify-full` with proper CA certificates - Operator-managed PostgreSQL (PGO) always uses `require` internally - `disable` and `allow` should only be used in development environments enum: - disable - allow - prefer - require - verify-ca - verify-full nullable: true type: string required: - databaseUrl type: object redisDb: default: 2 description: |- Redis database number used by Copilot. Uses DB 2 by default to avoid conflicts with NetBox (DB 0) and Diode (DB 1). format: uint8 maximum: 255.0 minimum: 0.0 type: integer replicas: default: 1 description: Number of Copilot backend replicas. format: uint8 maximum: 255.0 minimum: 0.0 type: integer resources: default: cpu: 100 memory: 256 description: Resource requests for the Copilot backend container. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object type: object diode: default: auth: annotations: null enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 port: 8080 replicas: 1 resources: cpu: 100 memory: 128 config: null enabled: true hydra: annotations: null autoMigrate: true enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 replicas: 1 resources: cpu: 100 memory: 128 ingester: annotations: null enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 port: 8081 replicas: 1 resources: cpu: 100 memory: 128 reconciler: annotations: null enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 port: 8081 replicas: 1 resources: cpu: 100 memory: 128 description: Diode application (includes Hydra OIDC server) properties: auth: default: annotations: null enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 port: 8080 replicas: 1 resources: cpu: 100 memory: 128 description: Diode auth service component. properties: annotations: additionalProperties: type: string description: Annotations to apply to auth service pods. nullable: true type: object enabled: default: true description: Enable or disable the auth service deployment. type: boolean extraEnvs: default: [] description: Additional environment variables. items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key - name type: object fieldRef: description: "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs." properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: description: Specifies the output format of the exposed resources, defaults to "1" nullable: true x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: object required: - name type: object type: array image: description: |- Container image configuration. When not specified, uses operator defaults allowing automatic version updates. nullable: true properties: digest: description: Optional image digest for immutable image references. nullable: true type: string imagePullSecrets: description: Image pull secrets for private registries. items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string required: - name type: object nullable: true type: array pullPolicy: default: IfNotPresent description: Image pull policy (Always, IfNotPresent, Never). enum: - IfNotPresent - Always - Never type: string registry: default: docker.io description: Container registry URL. type: string repository: default: netboxlabs/diode-reconciler description: Image repository path. type: string tag: default: v1.13.0 description: Image tag. type: string type: object labels: additionalProperties: type: string description: Labels to apply to auth service pods. nullable: true type: object limits: default: cpu: 500 memory: 512 description: Resource limits. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object port: default: 8080 description: Service port for auth API. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer replicas: default: 1 description: Number of auth service replicas. format: uint8 maximum: 255.0 minimum: 0.0 type: integer resources: default: cpu: 100 memory: 128 description: Resource requests. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object serviceAccount: description: |- Kubernetes service account name. If not specified, auto-generated as `{cluster-name}-diode-auth`. nullable: true type: string type: object config: description: Diode application level configuration nullable: true properties: auth: default: logLevel: INFO telemetryConfig: metricsEnabled: false metricsExporter: prometheus metricsPort: null traceExporter: none description: Diode auth configuration properties: logLevel: default: INFO description: Log level. enum: - INFO - DEBUG - WARN - ERROR type: string sentryDsn: description: Sentry DSN for error tracking. nullable: true type: string telemetryConfig: default: metricsEnabled: false metricsExporter: prometheus metricsPort: null traceExporter: none description: Telemetry configuration. properties: environment: description: |- Deployment environment name. When None, Diode uses its own built-in default. nullable: true type: string metricsEnabled: default: false description: Enable Prometheus metrics endpoint. type: boolean metricsExporter: description: Metrics exporter backend. enum: - prometheus - otlp - console - none type: string metricsPort: description: Port for metrics endpoint (component-specific default). format: uint16 maximum: 65535.0 minimum: 0.0 nullable: true type: integer traceExporter: description: Trace exporter backend. enum: - otlp - console - none type: string required: - metricsExporter - traceExporter type: object type: object hydra: default: oidc: subjectIdentifiers: supportedTypes: - public serve: admin: host: 0.0.0.0 port: 4445 public: host: 0.0.0.0 port: 4444 tls: allowTerminationFrom: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 strategies: accessToken: jwt jwt: scopeClaim: both ttl: accessToken: 1h description: Hydra OIDC server configuration properties: oidc: description: OIDC configuration. properties: subjectIdentifiers: description: Subject identifier configuration. properties: supportedTypes: description: Supported subject identifier types. items: description: |- OIDC subject identifier algorithm type. See [Hydra subject identifiers](https://www.ory.com/docs/hydra/guides/openid). enum: - public - pairwise type: string type: array required: - supportedTypes type: object required: - subjectIdentifiers type: object serve: description: Server listening configuration. properties: admin: description: Admin API server configuration. properties: host: default: 0.0.0.0 description: Bind address. type: string port: description: Admin API port. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer required: - port type: object public: description: Public API server configuration. properties: host: default: 0.0.0.0 description: Bind address. type: string port: description: Public API port. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer required: - port type: object tls: description: TLS termination configuration. properties: allowTerminationFrom: description: Networks allowed to terminate TLS (e.g., load balancers). items: pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[0-2]?[0-9])$ type: string type: array required: - allowTerminationFrom type: object required: - admin - public - tls type: object strategies: description: Token strategies. properties: accessToken: description: Access token strategy. enum: - jwt - opaque type: string jwt: description: JWT-specific configuration. properties: scopeClaim: description: Format for scope claim in JWT. enum: - list - string - both type: string required: - scopeClaim type: object required: - accessToken - jwt type: object ttl: description: Token TTL configuration. properties: accessToken: description: Access token lifetime (e.g., "1h", "30m"). type: string required: - accessToken type: object urls: description: URL configuration. nullable: true properties: self: description: Self-referential URLs. nullable: true properties: issuer: description: |- OIDC issuer URL. If not specified, will be auto-generated based on cluster name and namespace. nullable: true type: string type: object type: object required: - oidc - serve - strategies - ttl type: object ingester: default: logLevel: INFO redisStreamDb: 1 telemetryConfig: metricsEnabled: false metricsExporter: prometheus metricsPort: null traceExporter: none description: Diode ingester configuration properties: logLevel: default: INFO description: Log level. enum: - INFO - DEBUG - WARN - ERROR type: string redisStreamDb: default: 1 description: Redis database number for stream storage. format: uint8 maximum: 255.0 minimum: 0.0 type: integer sentryDsn: description: Sentry DSN for error tracking. nullable: true type: string telemetryConfig: default: metricsEnabled: false metricsExporter: prometheus metricsPort: null traceExporter: none description: Telemetry configuration. properties: environment: description: |- Deployment environment name. When None, Diode uses its own built-in default. nullable: true type: string metricsEnabled: default: false description: Enable Prometheus metrics endpoint. type: boolean metricsExporter: description: Metrics exporter backend. enum: - prometheus - otlp - console - none type: string metricsPort: description: Port for metrics endpoint (component-specific default). format: uint16 maximum: 65535.0 minimum: 0.0 nullable: true type: integer traceExporter: description: Trace exporter backend. enum: - otlp - console - none type: string required: - metricsExporter - traceExporter type: object type: object reconciler: default: autoApplyChangesets: true databaseName: diode databaseUser: diode logLevel: INFO migrationEnabled: true netboxClientId: diode-to-netbox rateLimitBurst: 1 rateLimitNetboxBurst: 1 rateLimitNetboxRps: 20 rateLimitRps: 20 redisDb: 0 redisStreamDb: 1 telemetryConfig: metricsEnabled: false metricsExporter: prometheus metricsPort: null traceExporter: none description: Diode reconciler configuration properties: autoApplyChangesets: default: true description: Automatically apply changesets to NetBox. type: boolean databaseName: default: diode description: PostgreSQL database name. type: string databaseUser: default: diode description: PostgreSQL database user. type: string logLevel: default: INFO description: Log level. enum: - INFO - DEBUG - WARN - ERROR type: string migrationEnabled: default: true description: Enable database migrations on startup. type: boolean netboxClientId: default: diode-to-netbox description: OAuth2 client ID for NetBox authentication. type: string pluginApiBaseUrl: description: |- NetBox Diode plugin API base URL. If not specified, auto-generated based on cluster name and namespace. nullable: true type: string postgres: description: |- PostgreSQL connection configuration (optional, for external databases). If not provided, defaults to using PGO-generated secrets with the pattern: `{cluster-name}-postgres-pguser-diode` For external databases, specify the secret containing connection details. nullable: true properties: password: description: Password reference (references external secret). properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object postgresqlProfile: description: |- Name of a PostgreSQL profile from `postgresqlProfiles`. When set, the component inherits PostgreSQL configuration (host, port, TLS) from the named profile. This is used by KOTS to avoid duplicating cluster-level PostgreSQL settings for each component. nullable: true type: string required: - password type: object rateLimitBurst: default: 1 description: Rate limit burst size. format: uint8 maximum: 255.0 minimum: 0.0 type: integer rateLimitNetboxBurst: default: 1 description: NetBox API rate limit burst size. format: uint8 maximum: 255.0 minimum: 0.0 type: integer rateLimitNetboxRps: default: 20 description: NetBox API rate limit requests per second. format: uint8 maximum: 255.0 minimum: 0.0 type: integer rateLimitRps: default: 20 description: Rate limit requests per second. format: uint8 maximum: 255.0 minimum: 0.0 type: integer redisDb: default: 0 description: Redis database number. format: uint8 maximum: 255.0 minimum: 0.0 type: integer redisStreamDb: default: 1 description: Redis database number for stream storage. format: uint8 maximum: 255.0 minimum: 0.0 type: integer sentryDsn: description: Sentry DSN for error tracking. nullable: true type: string telemetryConfig: default: metricsEnabled: false metricsExporter: prometheus metricsPort: null traceExporter: none description: Telemetry configuration. properties: environment: description: |- Deployment environment name. When None, Diode uses its own built-in default. nullable: true type: string metricsEnabled: default: false description: Enable Prometheus metrics endpoint. type: boolean metricsExporter: description: Metrics exporter backend. enum: - prometheus - otlp - console - none type: string metricsPort: description: Port for metrics endpoint (component-specific default). format: uint16 maximum: 65535.0 minimum: 0.0 nullable: true type: integer traceExporter: description: Trace exporter backend. enum: - otlp - console - none type: string required: - metricsExporter - traceExporter type: object type: object type: object enabled: default: true description: Enable or disable the entire Diode application suite. type: boolean hydra: default: annotations: null autoMigrate: true enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 replicas: 1 resources: cpu: 100 memory: 128 description: Hydra OIDC server for Diode authentication. properties: annotations: additionalProperties: type: string description: Annotations to apply to Hydra pods. nullable: true type: object autoMigrate: default: true description: Enable automatic database migrations on startup. type: boolean enabled: default: true description: Enable or disable Hydra deployment. type: boolean extraEnvs: default: [] description: Additional environment variables. items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key - name type: object fieldRef: description: "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs." properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: description: Specifies the output format of the exposed resources, defaults to "1" nullable: true x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: object required: - name type: object type: array image: description: |- Container image configuration. When not specified, uses operator defaults allowing automatic version updates. nullable: true properties: digest: description: Optional image digest for immutable image references. nullable: true type: string imagePullSecrets: description: Image pull secrets for private registries. items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string required: - name type: object nullable: true type: array pullPolicy: default: IfNotPresent description: Image pull policy (Always, IfNotPresent, Never). enum: - IfNotPresent - Always - Never type: string registry: default: docker.io description: Container registry URL. type: string repository: default: oryd/hydra description: Image repository path. type: string tag: default: v25.4.0 description: Image tag. type: string type: object labels: additionalProperties: type: string description: Labels to apply to Hydra pods. nullable: true type: object limits: default: cpu: 500 memory: 512 description: Resource limits. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object postgresqlProfile: description: |- Name of a PostgreSQL profile from `postgresqlProfiles`. When set, Hydra inherits PostgreSQL configuration (host, port, TLS) from the named profile. Used by KOTS to avoid duplicating cluster-level PostgreSQL settings. nullable: true type: string replicas: default: 1 description: Number of Hydra replicas. format: uint8 maximum: 255.0 minimum: 0.0 type: integer resources: default: cpu: 100 memory: 128 description: Resource requests. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object secrets: description: |- Secret references for Hydra. If not provided, will be auto-generated based on PostgreSQL configuration. nullable: true properties: cookie: description: Cookie secret for session management. nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object dsn: description: Database connection DSN. nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object system: description: System secret for encryption. nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: object serviceAccount: description: |- Kubernetes service account name. If not specified, auto-generated as `{cluster-name}-diode-hydra`. nullable: true type: string type: object ingester: default: annotations: null enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 port: 8081 replicas: 1 resources: cpu: 100 memory: 128 description: Diode ingester component. properties: annotations: additionalProperties: type: string description: Annotations to apply to ingester pods. nullable: true type: object enabled: default: true description: Enable or disable the ingester deployment. type: boolean extraEnvs: default: [] description: Additional environment variables. items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key - name type: object fieldRef: description: "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs." properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: description: Specifies the output format of the exposed resources, defaults to "1" nullable: true x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: object required: - name type: object type: array image: description: |- Container image configuration. When not specified, uses operator defaults allowing automatic version updates. nullable: true properties: digest: description: Optional image digest for immutable image references. nullable: true type: string imagePullSecrets: description: Image pull secrets for private registries. items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string required: - name type: object nullable: true type: array pullPolicy: default: IfNotPresent description: Image pull policy (Always, IfNotPresent, Never). enum: - IfNotPresent - Always - Never type: string registry: default: docker.io description: Container registry URL. type: string repository: default: netboxlabs/diode-reconciler description: Image repository path. type: string tag: default: v1.13.0 description: Image tag. type: string type: object labels: additionalProperties: type: string description: Labels to apply to ingester pods. nullable: true type: object limits: default: cpu: 500 memory: 512 description: Resource limits. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object port: default: 8081 description: Service port for ingester API. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer replicas: default: 1 description: Number of ingester replicas. format: uint8 maximum: 255.0 minimum: 0.0 type: integer resources: default: cpu: 100 memory: 128 description: Resource requests. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object serviceAccount: description: |- Kubernetes service account name. If not specified, auto-generated as `{cluster-name}-diode-ingester`. nullable: true type: string type: object reconciler: default: annotations: null enabled: true extraEnvs: [] labels: null limits: cpu: 500 memory: 512 port: 8081 replicas: 1 resources: cpu: 100 memory: 128 description: Diode reconciler component. properties: annotations: additionalProperties: type: string description: Annotations to apply to reconciler pods. nullable: true type: object enabled: default: true description: Enable or disable the reconciler deployment. type: boolean extraEnvs: default: [] description: Additional environment variables. items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key - name type: object fieldRef: description: "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs." properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: description: Specifies the output format of the exposed resources, defaults to "1" nullable: true x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: object required: - name type: object type: array image: description: |- Container image configuration. When not specified, uses operator defaults allowing automatic version updates. nullable: true properties: digest: description: Optional image digest for immutable image references. nullable: true type: string imagePullSecrets: description: Image pull secrets for private registries. items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string required: - name type: object nullable: true type: array pullPolicy: default: IfNotPresent description: Image pull policy (Always, IfNotPresent, Never). enum: - IfNotPresent - Always - Never type: string registry: default: docker.io description: Container registry URL. type: string repository: default: netboxlabs/diode-reconciler description: Image repository path. type: string tag: default: v1.13.0 description: Image tag. type: string type: object labels: additionalProperties: type: string description: Labels to apply to reconciler pods. nullable: true type: object limits: default: cpu: 500 memory: 512 description: Resource limits. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object port: default: 8081 description: Service port for reconciler API. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer replicas: default: 1 description: Number of reconciler replicas. format: uint8 maximum: 255.0 minimum: 0.0 type: integer resources: default: cpu: 100 memory: 128 description: Resource requests. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object serviceAccount: description: |- Kubernetes service account name. If not specified, auto-generated as `{cluster-name}-diode-reconciler`. nullable: true type: string type: object type: object extraCaCertificates: description: |- Additional CA certificates to trust system-wide. These certificates will be added to the system trust store of all NetBox components (netbox, worker) and merged into every service- specific CA bundle (PostgreSQL, Redis). Useful for: - Custom or self-signed CA certificates - Internal enterprise CA certificates - Third-party service certificates (LDAP, webhooks, etc.) Users must create Kubernetes secrets containing PEM-encoded certificates, then reference them here. Multiple certificates can be concatenated in a single secret key, or split across multiple references. # Example ```yaml extraCaCertificates: - name: company-root-ca key: ca.crt - name: partner-ca-bundle key: ca-bundle.pem ``` items: description: SecretKeySelector selects a key of a Secret. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: array gateway: description: |- Gateway API configuration for operator-managed Gateway and Route resources. When omitted or disabled, no Gateway API resources are created. Can coexist with Ingress — both can be enabled simultaneously. nullable: true properties: annotations: additionalProperties: type: string description: Extra annotations merged onto all Gateway API resources. type: object className: default: istio description: |- GatewayClass name for the Gateway resource. Maps to `spec.gatewayClassName` on the generated Gateway. Common values: `"istio"`, `"envoy"`, `"cilium"`. type: string enabled: default: false description: |- Whether the operator creates Gateway API resources. Defaults to `false` (opt-in). When `true`, the operator creates a Gateway and the associated HTTPRoute/GRPCRoute objects. type: boolean listeners: description: |- Gateway listener definitions. Each entry maps to a `spec.listeners[]` entry on the Gateway. Uses the upstream Gateway API `GatewayListeners` type directly. items: description: |- Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. properties: allowedRoutes: description: |- AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of "2020-09-08 01:02:03" is given precedence over a Route with a creation timestamp of "2020-09-08 01:02:04". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. Support: Core nullable: true properties: kinds: description: |- Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the "ResolvedRefs" condition to False for this Listener with the "InvalidRouteKinds" reason. Support: Core items: properties: group: nullable: true type: string kind: type: string required: - kind type: object nullable: true type: array namespaces: description: |- Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. Support: Core nullable: true properties: from: description: |- From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. Support: Core enum: - All - Selector - Same - null nullable: true type: string selector: description: |- Selector must be specified when From is set to "Selector". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of "From". Support: Core nullable: true properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string nullable: true type: array required: - key - operator type: object nullable: true type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. nullable: true type: object type: object type: object type: object hostname: description: |- Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. Implementations MUST apply Hostname matching appropriately for each of the following protocols: * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. Note that this does not require the SNI and Host header to be the same. The semantics of this are described in more detail below. To ensure security, Section 11.1 of RFC-6066 emphasizes that server implementations that rely on SNI hostname matching MUST also verify hostnames within the application protocol. Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the reuse of a connection by responding with the HTTP 421 Misdirected Request status code. This indicates that the origin server has rejected the request because it appears to have been misdirected. To detect misdirected requests, Gateways SHOULD match the authority of the requests with all the SNI hostname(s) configured across all the Gateway Listeners on the same port and protocol: * If another Listener has an exact match or more specific wildcard entry, the Gateway SHOULD return a 421. * If the current Listener (selected by SNI matching during ClientHello) does not match the Host: * If another Listener does match the Host the Gateway SHOULD return a 421. * If no other Listener matches the Host, the Gateway MUST return a 404. For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. Support: Core nullable: true type: string name: description: |- Name is the name of the Listener. This name MUST be unique within a Gateway. Support: Core type: string port: description: |- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. Support: Core format: int32 type: integer protocol: description: |- Protocol specifies the network protocol this listener expects to receive. Support: Core type: string tls: description: |- TLS is the TLS configuration for the Listener. This field is required if the Protocol field is "HTTPS" or "TLS". It is invalid to set this field if the Protocol field is "HTTP", "TCP", or "UDP". The association of SNIs to Certificate defined in ListenerTLSConfig is defined based on the Hostname field for this listener. The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. Support: Core nullable: true properties: certificateRefs: description: |- CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. A single CertificateRef to a Kubernetes Secret has "Core" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the "ResolvedRefs" condition MUST be set to False for this listener with the "RefNotPermitted" reason. This field is required to have at least one element when the mode is set to "Terminate" (default) and is optional otherwise. CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls Support: Implementation-specific (More than one reference or other resource types) items: description: |- SecretObjectReference identifies an API object including its namespace, defaulting to Secret. The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. properties: group: description: |- Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. nullable: true type: string kind: description: Kind is kind of the referent. For example "Secret". nullable: true type: string name: description: Name is the name of the referent. type: string namespace: description: |- Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core nullable: true type: string required: - name type: object nullable: true type: array mode: description: |- Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificates to be specified in some way, such as populating the certificateRefs field. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. The certificateRefs field is ignored in this mode. Support: Core enum: - Terminate - Passthrough - null nullable: true type: string options: additionalProperties: type: string description: |- Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. Support: Implementation-specific nullable: true type: object type: object required: - name - port - protocol type: object type: array timeouts: description: |- Timeouts applied to all generated HTTPRoute rules. Maps to `spec.rules[].timeouts` on HTTPRoute resources. Values are Gateway API duration strings (e.g., `"30s"`, `"1m"`). nullable: true properties: backendRequest: description: |- BackendRequest specifies a timeout for an individual request from the gateway to a backend. This covers the time from when the request first starts being sent from the gateway to when the full response has been received from the backend. Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. An entire client HTTP transaction with a gateway, covered by the Request timeout, may result in more than one call from the gateway to the destination backend, for example, if automatic retries are supported. The value of BackendRequest must be a Gateway API Duration string as defined by GEP-2257. When this field is unspecified, its behavior is implementation-specific; when specified, the value of BackendRequest must be no more than the value of the Request timeout (since the Request timeout encompasses the BackendRequest timeout). Support: Extended nullable: true type: string request: description: |- Request specifies the maximum duration for a gateway to respond to an HTTP request. If the gateway has not been able to respond before this deadline is met, the gateway MUST return a timeout error. For example, setting the `rules.timeouts.request` field to the value `10s` in an `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds to complete. Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout completely. Implementations that cannot completely disable the timeout MUST instead interpret the zero duration as the longest possible value to which the timeout can be set. This timeout is intended to cover as close to the whole request-response transaction as possible although an implementation MAY choose to start the timeout after the entire request stream has been received instead of immediately after the transaction is initiated by the client. The value of Request is a Gateway API Duration string as defined by GEP-2257. When this field is unspecified, request timeout behavior is implementation-specific. Support: Extended nullable: true type: string type: object type: object imagePullPolicy: default: IfNotPresent description: Image pull policy for NetBox containers. enum: - IfNotPresent - Always - Never type: string imagePullSecrets: description: Image pull secrets for private registries. items: type: string type: array ingress: description: |- Ingress configuration for all operator-managed Ingress resources. When omitted, the operator uses default settings (nginx class, no TLS, no extra annotations). nullable: true properties: annotations: additionalProperties: type: string description: |- Extra annotations merged onto every Ingress object. Values here override the hardcoded nginx-specific defaults when keys collide. type: object className: default: nginx description: |- Kubernetes Ingress class name. Maps to `spec.ingressClassName` on all generated Ingress objects. Defaults to `"nginx"` for backward compatibility. type: string enabled: default: true description: |- Whether the operator creates Ingress objects. When `false`, the operator skips Ingress creation entirely. Existing Ingress objects are pruned by orphan cleanup. type: boolean tls: description: |- TLS termination entries for Ingress resources. Each entry maps directly to a Kubernetes `IngressTLS` object. All unique hosts across entries are used to create `IngressRule` entries. items: description: IngressTLS describes the transport layer security associated with an ingress. properties: hosts: description: hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified. items: type: string type: array secretName: description: secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the "Host" header is used for routing. type: string type: object type: array type: object labels: additionalProperties: type: string description: Labels applied to all cluster resources. nullable: true type: object maintenanceMode: default: false description: Enable maintenance mode - scales down all deployments and creates a maintenance pod for manual operations. type: boolean netbox: description: NetBox application deployment configuration. properties: config: description: NetBox application specific configuration nullable: true properties: allowedHosts: default: - '*' description: Allowed hostnames for NetBox. items: type: string type: array customPythonConfig: description: |- Custom Python configuration to be loaded after NetBox configuration.py. This content is rendered into user_extra.py and mounted as zzz_80_user_extra.py, allowing customization of PLUGINS, PLUGINS_CONFIG, and other NetBox settings. nullable: true type: string customPythonConfigRef: description: |- Reference to a ConfigMap key containing custom Python configuration. If both customPythonConfig and customPythonConfigRef are specified, customPythonConfig takes precedence. nullable: true properties: key: description: The key to select. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key - name type: object emailPassword: description: Email password reference (auto-generated if needed). nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object metricsEnabled: default: false description: Enable Prometheus metrics endpoint at /metrics. type: boolean plugins: default: {} description: Custom plugins configuration for installing Python packages from wheelhouse. properties: wheelhouse: description: |- Wheelhouse source configuration. Specify either `s3` or `pvc` as the source for the wheelhouse tarball. Validation is performed automatically during deserialization. nullable: true properties: pvc: description: PVC source configuration for wheelhouse file. nullable: true properties: claimName: description: |- Name of the PVC containing the wheelhouse. If `create` is true, the operator will create this PVC. If `create` is false (default), the PVC must already exist. type: string create: default: false description: |- Create the PVC if it doesn't exist (default: false). When true, the operator will create and manage the PVC lifecycle. Use maintenanceMode to access the PVC and upload the wheelhouse file. type: boolean path: default: wheelhouse.tar.gz description: 'Path to the wheelhouse file within the PVC (default: wheelhouse.tar.gz).' type: string size: default: 1Gi description: |- Size of the PVC to create (default: 1Gi). Only used when `create` is true. type: string storageClassName: description: |- Storage class name for the PVC. Only used when `create` is true. nullable: true type: string required: - claimName type: object s3: description: S3 bucket configuration for wheelhouse download. nullable: true properties: bucket: description: S3 bucket name. type: string credentialsSecret: description: Reference to Secret containing S3 credentials. properties: accessKeyId: default: AWS_ACCESS_KEY_ID description: 'Key within the secret for the access key ID (default: AWS_ACCESS_KEY_ID).' type: string name: description: Name of the Kubernetes Secret containing S3 credentials. type: string secretAccessKey: default: AWS_SECRET_ACCESS_KEY description: 'Key within the secret for the secret access key (default: AWS_SECRET_ACCESS_KEY).' type: string required: - name type: object endpoint: description: S3-compatible endpoint URL (optional, uses AWS default if not specified). nullable: true type: string key: default: media/wheelhouse.tar.gz description: 'Object key within the bucket (default: media/wheelhouse.tar.gz).' type: string region: default: us-east-1 description: 'AWS region (default: us-east-1).' type: string verifySSL: default: true description: 'Whether to verify SSL certificates (default: true).' type: boolean required: - bucket - credentialsSecret type: object type: object type: object postgres: description: PostgreSQL connection configuration (derived from spec.postgresql if not provided). nullable: true properties: database: default: netbox description: Database name for NetBox. type: string password: description: Password reference (auto-generated if not provided). nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object user: default: netbox description: Database username for NetBox. type: string users: default: - databases: - netbox name: netbox options: SUPERUSER - databases: - copilot name: copilot options: SUPERUSER - databases: - diode name: diode options: SUPERUSER - databases: - hydra name: hydra options: SUPERUSER description: Users to create in PostgreSQL (for PGO). items: description: PostgreSQL user specification for PGO. properties: databases: description: Databases the user can access. items: type: string type: array name: description: Username. type: string options: description: PostgreSQL user options (e.g., "SUPERUSER"). type: string required: - databases - name - options type: object type: array type: object redis: description: Redis connection configuration (derived from spec.redis if not provided). nullable: true properties: host: description: Redis hostname. type: string password: description: |- Password reference for Redis authentication. This password is used for both the tasks queue and cache connections. If not provided and `requireAuth` is true, authentication will fail. nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object port: default: 6379 description: Redis port number. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer username: description: |- Redis username for ACL authentication (Redis 6.0+). If not specified, defaults to empty string (legacy auth mode). nullable: true type: string required: - host type: object secretKey: description: Django secret key reference (auto-generated if not provided). nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object storage: default: s3: accessKeyId: null bucketName: null enabled: false endpointUrl: null regionName: '' secretAccessKey: null tlsConfig: null description: Storage configuration (S3, etc.) for NetBox media files. properties: s3: default: accessKeyId: null bucketName: null enabled: false endpointUrl: null regionName: '' secretAccessKey: null tlsConfig: null description: S3 storage configuration. properties: accessKeyId: description: AWS access key ID reference (from a Kubernetes Secret). nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object bucketName: description: S3 bucket name. nullable: true type: string enabled: default: false description: Enable S3 storage for media files. type: boolean endpointUrl: description: Custom S3 endpoint URL (for MinIO, Garage, or other S3-compatible services). nullable: true type: string regionName: default: us-east-1 description: 'AWS region name (default: us-east-1).' type: string secretAccessKey: description: AWS secret access key reference (from a Kubernetes Secret). nullable: true properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object tlsConfig: description: |- TLS configuration referencing certificates from the cluster's `tlsKeychain`. When present, enables: - Custom CA certificates for server verification (via keychain) - Client certificates for mutual TLS (mTLS) authentication - Insecure skip verification (disabling SSL certificate verification) nullable: true properties: insecureSkipVerify: default: false description: |- Skip TLS certificate verification. **Warning**: Setting this to `true` disables certificate verification and should only be used for testing or development environments. **PostgreSQL caveat**: This field has no effect on PostgreSQL certificate verification when CA certificates are configured via `keychainCaCertificates`. For backward compatibility, libpq verifies the server certificate whenever `PGSSLROOTCERT` is set and `sslmode=require`, effectively upgrading it to `verify-ca` behavior. Since the operator sets `PGSSLROOTCERT` when any CA certificates are provided, `insecureSkipVerify: true` will not prevent certificate validation for PostgreSQL connections. To skip verification, remove the CA certificates instead. type: boolean keychainCaCertificates: description: |- Names of CA certificates from the cluster's `tlsKeychain` to use for verifying server certificates. These names must match entries in `tlsKeychain.caCertificateSecrets[].name`. items: type: string type: array keychainClientCertificate: description: |- Name of a client certificate from the cluster's `tlsKeychain` to use for mutual TLS (mTLS) authentication. This name must match an entry in `tlsKeychain.clientCertificateSecrets[].name`. nullable: true type: string type: object type: object type: object superuser: description: |- Superuser secret references. If provided, all 4 fields (username, email, password, api_token) are required. If None, operator generates all credentials. nullable: true properties: apiToken: description: Secret reference for superuser API token. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object email: description: Secret reference for superuser email. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object password: description: Secret reference for superuser password. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object username: description: Secret reference for superuser username. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object required: - apiToken - email - password - username type: object type: object env: default: - name: http_proxy value: '' - name: https_proxy value: '' - name: no_proxy value: localhost,cluster.local description: Environment variables for NetBox containers. items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key - name type: object fieldRef: description: "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs." properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: description: Specifies the output format of the exposed resources, defaults to "1" nullable: true x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: object required: - name type: object type: array httpPort: default: 8080 description: HTTP port for NetBox web interface. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer image: description: |- Container image specification. When not specified, uses operator defaults allowing automatic version updates. nullable: true properties: digest: description: Image digest for pinning specific versions. nullable: true type: string imagePullSecrets: description: Pull secrets for private registries. items: description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string required: - name type: object nullable: true type: array pullPolicy: default: IfNotPresent description: Image pull policy. enum: - IfNotPresent - Always - Never type: string registry: default: docker.io description: Container registry hostname. type: string repository: default: netboxcommunity/netbox description: Repository path within the registry. type: string tag: default: v4.5.3 description: Image tag. type: string type: object limits: default: cpu: 1000 memory: 1500 description: Resource limits for NetBox pods. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object mediaStorageSize: default: 10Gi description: Media storage PVC size (e.g., "10Gi"). type: string replicas: default: 1 description: Number of NetBox web application replicas. format: uint8 maximum: 255.0 minimum: 0.0 type: integer resources: default: cpu: 200 memory: 750 description: Resource requests for NetBox pods. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object scriptsStorageSize: default: 1Gi description: |- Scripts storage PVC size (e.g., "1Gi"). This volume stores custom scripts uploaded by users. type: string statusPort: description: |- Deprecated: no longer used. Retained for CRD backwards compatibility. Previously configured the nginx unit status port; ignored since the switch to granian in nbe-core 4.5.x. format: uint16 maximum: 65535.0 minimum: 0.0 nullable: true type: integer storageClassName: description: Storage class for the media and scripts PVCs. nullable: true type: string urls: description: External URLs to expose the NetBox service. items: type: string nullable: true type: array worker: default: env: - name: http_proxy value: '' - name: https_proxy value: '' - name: no_proxy value: localhost,cluster.local limits: cpu: 1000 memory: 1500 replicas: 1 resources: cpu: 100 memory: 128 description: Background worker configuration. properties: env: default: - name: http_proxy value: '' - name: https_proxy value: '' - name: no_proxy value: localhost,cluster.local description: Environment variables for worker containers. items: description: EnvVar represents an environment variable present in a Container. properties: name: description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' type: string valueFrom: description: Source for the environment variable's value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. properties: key: description: The key to select. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the ConfigMap or its key must be defined type: boolean required: - key - name type: object fieldRef: description: "Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs." properties: apiVersion: description: Version of the schema the FieldPath is written in terms of, defaults to "v1". type: string fieldPath: description: Path of the field to select in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' properties: containerName: description: 'Container name: required for volumes, optional for env vars' type: string divisor: description: Specifies the output format of the exposed resources, defaults to "1" nullable: true x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: description: Selects a key of a secret in the pod's namespace properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key - name type: object type: object required: - name type: object type: array limits: default: cpu: 1000 memory: 1500 description: Resource limits for worker pods. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object replicas: description: Number of worker replicas. format: uint8 maximum: 255.0 minimum: 0.0 type: integer resources: default: cpu: 100 memory: 128 description: Resource requests for worker pods. properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object yamlEnv: description: |- YAML string containing environment variables as key-value pairs. This will be converted to EnvVar array format by the operator. Example: "FOO: bar\nBAZ: qux" nullable: true type: string required: - replicas type: object yamlEnv: description: |- YAML string containing environment variables as key-value pairs. This will be converted to EnvVar array format by the operator. Example: "FOO: bar\nBAZ: qux" nullable: true type: string type: object postgresql: description: PostgreSQL database configuration (operator-managed or external). properties: external: default: false description: Whether PostgreSQL is externally managed (not deployed by operator). type: boolean instances: default: 1 description: |- Number of PostgreSQL instances (replicas). Set to 0 for auto-scaling based on node count (min(nodes, 3)). Auto-scaling requires cluster-scoped RBAC (rbac.scope: cluster). For manual HA, set to 3 or more. format: uint8 maximum: 255.0 minimum: 0.0 type: integer limits: description: |- Resource limits for PostgreSQL pods (CPU in millicores, memory in MiB). When `None`, no resource limits are set on PostgreSQL pods. **Warning**: Without limits, pods may consume more resources than available on the node, potentially causing node instability. nullable: true properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object postgresqlProfile: description: |- Name of a PostgreSQL profile from [`NetBoxEnterpriseSpec::postgresql_profiles`]. When set, the PostgreSQL connection inherits TLS configuration, host, and port from the named profile. Used to centralize external PostgreSQL settings so they are specified once rather than per-component. See also: [`PostgreSQLProfile`] for the profile schema. nullable: true type: string registry: description: Container registry override for PostgreSQL images. nullable: true type: string resources: description: |- Resource requests for PostgreSQL pods (CPU in millicores, memory in MiB). When `None`, no resource requests are set on PostgreSQL pods, allowing PGO to use Kubernetes defaults (effectively unlimited). This is the default behavior for backward compatibility. nullable: true properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object storageClassName: description: |- Storage class name for PostgreSQL PVCs. If not specified, the cluster's default storage class will be used. Required if the cluster has no default storage class configured. nullable: true type: string storageSize: default: 4Gi description: Storage size for PostgreSQL PVC (e.g., "10Gi"). type: string version: default: '18' description: PostgreSQL major version. type: string type: object postgresqlProfiles: additionalProperties: description: |- A named PostgreSQL connection profile. Bundles connection details (host, port, username) and TLS configuration under a single name so that multiple components can reference it instead of duplicating inline settings. All fields are optional — a profile may specify only TLS settings, only connection details, or both. Components resolve each field independently: inline config takes priority, then the profile, then defaults. # Example ```yaml postgresqlProfiles: netbox: host: db.example.com port: 5432 username: netbox tlsConfig: sslmode: verify-full keychainCaCertificates: ['pgo'] ``` properties: host: description: PostgreSQL hostname. nullable: true type: string port: description: PostgreSQL port number. format: uint16 maximum: 65535.0 minimum: 0.0 nullable: true type: integer tlsConfig: description: TLS configuration for the PostgreSQL connection. nullable: true properties: insecureSkipVerify: default: false description: |- Skip TLS certificate verification. **Warning**: Setting this to `true` disables certificate verification and should only be used for testing or development environments. **PostgreSQL caveat**: This field has no effect on PostgreSQL certificate verification when CA certificates are configured via `keychainCaCertificates`. For backward compatibility, libpq verifies the server certificate whenever `PGSSLROOTCERT` is set and `sslmode=require`, effectively upgrading it to `verify-ca` behavior. Since the operator sets `PGSSLROOTCERT` when any CA certificates are provided, `insecureSkipVerify: true` will not prevent certificate validation for PostgreSQL connections. To skip verification, remove the CA certificates instead. type: boolean keychainCaCertificates: description: |- Names of CA certificates from the cluster's `tlsKeychain` to use for verifying server certificates. These names must match entries in `tlsKeychain.caCertificateSecrets[].name`. items: type: string type: array keychainClientCertificate: description: |- Name of a client certificate from the cluster's `tlsKeychain` to use for mutual TLS (mTLS) authentication. This name must match an entry in `tlsKeychain.clientCertificateSecrets[].name`. nullable: true type: string sslmode: default: prefer description: |- SSL mode for PostgreSQL connection. Effective defaults depend on deployment mode: - **External PostgreSQL**: `prefer` (safe fallback that opportunistically uses TLS) - **Operator-managed PostgreSQL**: `require` (PGO always enables TLS) For production external databases, consider using `verify-full` with proper CA certificates configured via `keychainCaCertificates`. **Important**: For backward compatibility, libpq verifies server certificates whenever `PGSSLROOTCERT` is set and `sslmode=require`. Since the operator sets `PGSSLROOTCERT` when `keychainCaCertificates` is non-empty, providing a CA certificate effectively upgrades `require` to behave like `verify-ca`. Ensure the CA certificate matches the server, or omit it to use `require` without verification. enum: - disable - allow - prefer - require - verify-ca - verify-full type: string type: object username: description: PostgreSQL username. nullable: true type: string type: object description: |- Named PostgreSQL connection profiles for component reuse. Each profile bundles connection details (host, port, username) and TLS configuration under a name. Components like Diode and Hydra can reference a profile via `postgresqlProfile` instead of duplicating inline settings. For example, KOTS populates a `"netbox"` profile with the cluster-level PostgreSQL settings, then Diode/Hydra reference it when "reuse NetBox config" is selected. type: object redis: description: Redis cache/queue configuration (operator-managed or external). properties: clusterSize: default: 1 description: |- Number of Redis replicas. Set to 0 for auto-scaling based on node count (min(nodes, 3)). Auto-scaling requires cluster-scoped RBAC (rbac.scope: cluster). Sentinel is deployed when effective size > 1. format: uint8 maximum: 255.0 minimum: 0.0 type: integer external: default: false description: Whether Redis is externally managed (not deployed by operator). type: boolean limits: description: |- Resource limits for Redis pods (CPU in millicores, memory in MiB). When `None`, no resource limits are set on Redis pods. **Warning**: Without limits, pods may consume more resources than available on the node, potentially causing node instability. nullable: true properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object name: default: redis description: Redis instance name. type: string persistence: default: true description: Whether to enable persistence for Redis data. type: boolean requireAuth: default: false description: |- Whether authentication is required for Redis connections. Default behavior: - Operator-managed: false (Redis operator doesn't enable auth by default) - External: false (assume no auth unless explicitly configured) Set to true when connecting to Redis instances that require authentication. type: boolean resources: description: |- Resource requests for Redis pods (CPU in millicores, memory in MiB). When `None`, no resource requests are set on Redis pods (unlimited). nullable: true properties: cpu: description: CPU allocation in millicores (1000m = 1 core). format: uint64 minimum: 0.0 type: integer memory: description: Memory allocation in mebibytes (MiB). format: uint64 minimum: 0.0 type: integer required: - cpu - memory type: object sentinelMasterName: description: |- Sentinel master group name. Required when `sentinels` is configured. Identifies which master group the Sentinels are monitoring (e.g., "netbox-redis"). Ignored for operator-managed Redis. nullable: true type: string sentinels: description: |- Sentinel endpoints for external Redis HA. When configured, NetBox uses Redis Sentinel for master discovery instead of connecting directly. Each endpoint is a Sentinel instance. Ignored for operator-managed Redis (operator auto-configures Sentinel). items: description: A Redis Sentinel endpoint address. properties: host: description: Sentinel hostname. type: string port: default: 26379 description: Sentinel port number. format: uint16 maximum: 65535.0 minimum: 0.0 type: integer required: - host type: object nullable: true type: array storageClassName: description: |- Storage class name for Redis PVCs. If not specified, the cluster's default storage class will be used. Required if the cluster has no default storage class configured. Only used when `persistence: true`. nullable: true type: string storageSize: default: 1Gi description: |- Storage size for the Redis PVC (e.g., "1Gi"). Only used when `persistence: true`. type: string tlsConfig: description: |- TLS configuration for external Redis connections. Uses the cluster's `tlsKeychain` to reference CA and client certificates for secure connections. The presence of this section enables TLS. Only used when `external: true`. nullable: true properties: insecureSkipVerify: default: false description: |- Skip TLS certificate verification. **Warning**: Setting this to `true` disables certificate verification and should only be used for testing or development environments. **PostgreSQL caveat**: This field has no effect on PostgreSQL certificate verification when CA certificates are configured via `keychainCaCertificates`. For backward compatibility, libpq verifies the server certificate whenever `PGSSLROOTCERT` is set and `sslmode=require`, effectively upgrading it to `verify-ca` behavior. Since the operator sets `PGSSLROOTCERT` when any CA certificates are provided, `insecureSkipVerify: true` will not prevent certificate validation for PostgreSQL connections. To skip verification, remove the CA certificates instead. type: boolean keychainCaCertificates: description: |- Names of CA certificates from the cluster's `tlsKeychain` to use for verifying server certificates. These names must match entries in `tlsKeychain.caCertificateSecrets[].name`. items: type: string type: array keychainClientCertificate: description: |- Name of a client certificate from the cluster's `tlsKeychain` to use for mutual TLS (mTLS) authentication. This name must match an entry in `tlsKeychain.clientCertificateSecrets[].name`. nullable: true type: string type: object type: object registry: description: |- Container registry host override for all images. When set, replaces the registry portion of every container image. Use with `registry_namespace` for flat-namespace registries (e.g., Replicated local registry in airgap installs). nullable: true type: string registryNamespace: description: |- Registry namespace for flat-namespace registries. When set alongside `registry`, all repository paths are flattened to `{namespace}/{basename}`. For example, `docker.io/oryd/hydra:v2.3.0` becomes `{registry}/{namespace}/hydra:v2.3.0`. When only `registry` is set (no namespace), the full original repository path is preserved. nullable: true type: string suspend: default: false description: |- Suspend reconciliation/annealing of resources while debugging. When set to `true`, the operator will skip applying downstream resources and wait for the field to be cleared before resuming reconciliation. type: boolean tlsKeychain: description: |- TLS keychain configuration for CA and client certificates. Allows specifying trusted CA certificates and client certificates for secure connections to external services. nullable: true properties: caCertificateSecrets: description: |- CA certificate secrets to trust for TLS connections. These certificates will be added to the trust store for validating server certificates when connecting to external services. items: description: |- Reference to a Kubernetes secret containing a CA certificate. Used for configuring trusted CA certificates for TLS verification. The secret should contain the CA certificate in PEM format. # Example ```yaml - name: my-ca-secret key: ca.crt - name: aliased-ca secret: actual-secret-name ``` properties: key: default: ca.crt description: |- Key within the secret that contains the CA certificate data. Defaults to `ca.crt` if not specified. type: string name: description: |- Logical name for this CA certificate entry. If `secret` is not specified, this name is also used as the Kubernetes secret name. type: string secret: description: |- Name of the Kubernetes secret containing the CA certificate. If not specified, the `name` field is used as the secret name. nullable: true type: string required: - name type: object type: array clientCertificateSecrets: description: |- Client certificate secrets for mutual TLS (mTLS) authentication. These certificates can be used to authenticate the client when connecting to services that require client certificate authentication. items: description: |- Reference to a Kubernetes secret containing a client certificate and private key. Used for configuring client certificates for mutual TLS (mTLS) authentication. The secret should be of type `kubernetes.io/tls` or contain equivalent keys. # Example ```yaml - name: my-client-cert certKey: tls.crt privateKey: tls.key - name: aliased-client secret: actual-secret-name ``` properties: certKey: default: tls.crt description: |- Key within the secret that contains the client certificate data. Defaults to `tls.crt` (standard key for `kubernetes.io/tls` secrets). type: string name: description: |- Logical name for this client certificate entry. If `secret` is not specified, this name is also used as the Kubernetes secret name. type: string privateKey: default: tls.key description: |- Key within the secret that contains the private key data. Defaults to `tls.key` (standard key for `kubernetes.io/tls` secrets). type: string secret: description: |- Name of the Kubernetes secret containing the client certificate. If not specified, the `name` field is used as the secret name. nullable: true type: string required: - name type: object type: array type: object required: - netbox - postgresql - redis type: object status: description: Status of the NetBoxEnterprise custom resource. nullable: true properties: components: default: copilot: ready: false diode: ready: false netbox: ready: false postgresql: ready: false redis: ready: false worker: ready: false description: Detailed status for each component. properties: copilot: default: ready: false description: Copilot backend component status (if enabled). properties: conditions: description: Conditions specific to this component. items: description: Kubernetes standard condition following the condition conventions. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about the transition. type: string observedGeneration: description: Generation observed when this condition was set. format: int64 nullable: true type: integer reason: description: Machine-readable reason for the condition's last transition. type: string status: description: 'Status of the condition: "True", "False", or "Unknown".' type: string type: description: Type of condition (e.g., "Ready", "Progressing", "Degraded"). type: string required: - lastTransitionTime - message - reason - status - type type: object type: array message: description: Human-readable message about component state. nullable: true type: string ready: default: false description: Whether the component is ready. type: boolean type: object diode: default: ready: false description: Diode application component status (if enabled). properties: conditions: description: Conditions specific to this component. items: description: Kubernetes standard condition following the condition conventions. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about the transition. type: string observedGeneration: description: Generation observed when this condition was set. format: int64 nullable: true type: integer reason: description: Machine-readable reason for the condition's last transition. type: string status: description: 'Status of the condition: "True", "False", or "Unknown".' type: string type: description: Type of condition (e.g., "Ready", "Progressing", "Degraded"). type: string required: - lastTransitionTime - message - reason - status - type type: object type: array message: description: Human-readable message about component state. nullable: true type: string ready: default: false description: Whether the component is ready. type: boolean type: object netbox: default: ready: false description: NetBox web application component status. properties: conditions: description: Conditions specific to this component. items: description: Kubernetes standard condition following the condition conventions. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about the transition. type: string observedGeneration: description: Generation observed when this condition was set. format: int64 nullable: true type: integer reason: description: Machine-readable reason for the condition's last transition. type: string status: description: 'Status of the condition: "True", "False", or "Unknown".' type: string type: description: Type of condition (e.g., "Ready", "Progressing", "Degraded"). type: string required: - lastTransitionTime - message - reason - status - type type: object type: array message: description: Human-readable message about component state. nullable: true type: string ready: default: false description: Whether the component is ready. type: boolean type: object postgresql: default: ready: false description: PostgreSQL database component status. properties: conditions: description: Conditions specific to this component. items: description: Kubernetes standard condition following the condition conventions. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about the transition. type: string observedGeneration: description: Generation observed when this condition was set. format: int64 nullable: true type: integer reason: description: Machine-readable reason for the condition's last transition. type: string status: description: 'Status of the condition: "True", "False", or "Unknown".' type: string type: description: Type of condition (e.g., "Ready", "Progressing", "Degraded"). type: string required: - lastTransitionTime - message - reason - status - type type: object type: array message: description: Human-readable message about component state. nullable: true type: string ready: default: false description: Whether the component is ready. type: boolean type: object redis: default: ready: false description: Redis cache/queue component status. properties: conditions: description: Conditions specific to this component. items: description: Kubernetes standard condition following the condition conventions. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about the transition. type: string observedGeneration: description: Generation observed when this condition was set. format: int64 nullable: true type: integer reason: description: Machine-readable reason for the condition's last transition. type: string status: description: 'Status of the condition: "True", "False", or "Unknown".' type: string type: description: Type of condition (e.g., "Ready", "Progressing", "Degraded"). type: string required: - lastTransitionTime - message - reason - status - type type: object type: array message: description: Human-readable message about component state. nullable: true type: string ready: default: false description: Whether the component is ready. type: boolean type: object worker: default: ready: false description: NetBox worker component status. properties: conditions: description: Conditions specific to this component. items: description: Kubernetes standard condition following the condition conventions. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about the transition. type: string observedGeneration: description: Generation observed when this condition was set. format: int64 nullable: true type: integer reason: description: Machine-readable reason for the condition's last transition. type: string status: description: 'Status of the condition: "True", "False", or "Unknown".' type: string type: description: Type of condition (e.g., "Ready", "Progressing", "Degraded"). type: string required: - lastTransitionTime - message - reason - status - type type: object type: array message: description: Human-readable message about component state. nullable: true type: string ready: default: false description: Whether the component is ready. type: boolean type: object type: object conditions: description: Kubernetes standard conditions array. items: description: Kubernetes standard condition following the condition conventions. properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about the transition. type: string observedGeneration: description: Generation observed when this condition was set. format: int64 nullable: true type: integer reason: description: Machine-readable reason for the condition's last transition. type: string status: description: 'Status of the condition: "True", "False", or "Unknown".' type: string type: description: Type of condition (e.g., "Ready", "Progressing", "Degraded"). type: string required: - lastTransitionTime - message - reason - status - type type: object type: array lastReconcileTime: description: Timestamp of the last successful reconciliation (RFC3339 format). nullable: true type: string license: default: edition: Community isAssuranceEntitled: false isCopilotEntitled: false tier: Community description: License associated with the deployment properties: channelName: description: Channel name (e.g., stable, beta, dev) nullable: true type: string customerEmail: description: Customer email from license nullable: true type: string customerName: description: Customer name from license nullable: true type: string edition: default: Community description: NetBox edition (Community or Enterprise) enum: - Community - Enterprise type: string entitlements: additionalProperties: properties: title: description: Entitlement title type: string value: description: Entitlement value (can be any JSON type) x-kubernetes-preserve-unknown-fields: true type: object description: Raw entitlements for additional checks type: object expiresAt: description: Expiration date (ISO 8601 format) nullable: true type: string isAssuranceEntitled: default: false description: Whether NetBox Assurance is entitled type: boolean isCopilotEntitled: default: false description: Whether Copilot is entitled type: boolean licenseId: description: Unique license identifier nullable: true type: string licenseType: description: License type (dev, trial, prod, paid) nullable: true type: string platformOrgId: description: Platform organization ID nullable: true type: string tier: default: Community description: NetBox tier from license entitlement enum: - Community - Starter - Professional - Premium type: string type: object message: description: Human-readable message about the current state. nullable: true type: string migrationHash: description: |- SHA-256 hash of migration-relevant inputs (image tag, wheelhouse, plugin config). When this changes, the operator runs a migration Job before updating NetBox Deployments. nullable: true type: string observedGeneration: description: Generation observed by the controller during last reconciliation. format: int64 nullable: true type: integer ready: default: false description: Overall cluster readiness indicator. type: boolean version: default: '' description: Netbox Labs Operator Version type: string type: object required: - spec title: NetBoxEnterprise type: object served: true storage: true subresources: status: {}