{ "description": "TempoStack manages a Tempo deployment in microservices mode.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "TempoStackSpec defines the desired state of TempoStack.", "properties": { "extraConfig": { "description": "ExtraConfigSpec defines extra configurations for tempo that will be merged with the operator generated, configurations defined here\nhas precedence and could override generated config.", "properties": { "tempo": { "description": "Tempo defines any extra Tempo configuration, which will be merged with the operator's generated Tempo configuration", "x-kubernetes-preserve-unknown-fields": true } }, "type": "object", "additionalProperties": false }, "hashRing": { "description": "HashRing defines the spec for the distributed hash ring configuration.", "properties": { "memberlist": { "description": "MemberList configuration spec", "properties": { "enableIPv6": { "description": "EnableIPv6 enables IPv6 support for the memberlist based hash ring.", "type": "boolean" }, "instanceAddrType": { "description": "InstanceAddrType defines the type of address to use to advertise to the ring.\nDefaults to the first address from any private network interfaces of the current pod.\nAlternatively the public pod IP can be used in case private networks (RFC 1918 and RFC 6598)\nare not available.", "enum": [ "default", "podIP" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "images": { "description": "Images defines the image for each container.", "properties": { "jaegerQuery": { "description": "JaegerQuery defines the tempo-query container image.", "type": "string" }, "oauthProxy": { "description": "OauthProxy defines the oauth proxy image used to protect the jaegerUI on single tenant.", "type": "string" }, "tempo": { "description": "Tempo defines the tempo container image.", "type": "string" }, "tempoGateway": { "description": "TempoGateway defines the tempo-gateway container image.", "type": "string" }, "tempoGatewayOpa": { "description": "TempoGatewayOpa defines the OPA sidecar container for TempoGateway.", "type": "string" }, "tempoQuery": { "description": "TempoQuery defines the tempo-query container image.", "type": "string" } }, "type": "object", "additionalProperties": false }, "limits": { "description": "LimitSpec is used to limit ingestion and querying rates.", "properties": { "global": { "description": "Global is used to define global rate limits.", "properties": { "ingestion": { "description": "Ingestion is used to define ingestion rate limits.", "properties": { "ingestionBurstSizeBytes": { "description": "IngestionBurstSizeBytes defines the burst size (bytes) used in ingestion.", "type": "integer" }, "ingestionRateLimitBytes": { "description": "IngestionRateLimitBytes defines the Per-user ingestion rate limit (bytes) used in ingestion.", "type": "integer" }, "maxBytesPerTrace": { "description": "MaxBytesPerTrace defines the maximum number of bytes of an acceptable trace.", "type": "integer" }, "maxTracesPerUser": { "description": "MaxTracesPerUser defines the maximum number of traces a user can send.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "query": { "description": "Query is used to define query rate limits.", "properties": { "maxBytesPerTagValues": { "description": "MaxBytesPerTagValues defines the maximum size in bytes of a tag-values query.", "type": "integer" }, "maxSearchBytesPerTrace": { "description": "DEPRECATED. MaxSearchBytesPerTrace defines the maximum size of search data for a single\ntrace in bytes.\ndefault: `0` to disable.", "type": "integer" }, "maxSearchDuration": { "description": "MaxSearchDuration defines the maximum allowed time range for a search.\nIf this value is not set, then spec.search.maxDuration is used.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "perTenant": { "additionalProperties": { "description": "RateLimitSpec defines rate limits for Ingestion and Query components.", "properties": { "ingestion": { "description": "Ingestion is used to define ingestion rate limits.", "properties": { "ingestionBurstSizeBytes": { "description": "IngestionBurstSizeBytes defines the burst size (bytes) used in ingestion.", "type": "integer" }, "ingestionRateLimitBytes": { "description": "IngestionRateLimitBytes defines the Per-user ingestion rate limit (bytes) used in ingestion.", "type": "integer" }, "maxBytesPerTrace": { "description": "MaxBytesPerTrace defines the maximum number of bytes of an acceptable trace.", "type": "integer" }, "maxTracesPerUser": { "description": "MaxTracesPerUser defines the maximum number of traces a user can send.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "query": { "description": "Query is used to define query rate limits.", "properties": { "maxBytesPerTagValues": { "description": "MaxBytesPerTagValues defines the maximum size in bytes of a tag-values query.", "type": "integer" }, "maxSearchBytesPerTrace": { "description": "DEPRECATED. MaxSearchBytesPerTrace defines the maximum size of search data for a single\ntrace in bytes.\ndefault: `0` to disable.", "type": "integer" }, "maxSearchDuration": { "description": "MaxSearchDuration defines the maximum allowed time range for a search.\nIf this value is not set, then spec.search.maxDuration is used.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "description": "PerTenant is used to define rate limits per tenant.", "type": "object" } }, "type": "object", "additionalProperties": false }, "managementState": { "default": "Managed", "description": "ManagementState defines if the CR should be managed by the operator or not.\nDefault is managed.", "enum": [ "Managed", "Unmanaged" ], "type": "string" }, "networkPolicy": { "description": "NetworkPolicySpec defines how network policies are handled.", "properties": { "enabled": { "default": true, "description": "Enabled determines whether network policies are generated for the operands.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "observability": { "description": "ObservabilitySpec defines how telemetry data gets handled.", "properties": { "grafana": { "description": "Grafana defines the Grafana configuration for operands.", "properties": { "createDatasource": { "description": "CreateDatasource specifies if a Grafana Datasource should be created for Tempo.", "type": "boolean" }, "instanceSelector": { "description": "InstanceSelector specifies the Grafana instance where the datasource should be created.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "metrics": { "description": "Metrics defines the metrics configuration for operands.", "properties": { "createPrometheusRules": { "description": "CreatePrometheusRules specifies if Prometheus rules for alerts should be created for Tempo components.", "type": "boolean" }, "createServiceMonitors": { "description": "CreateServiceMonitors specifies if ServiceMonitors should be created for Tempo components.", "type": "boolean" }, "extraPrometheusRuleLabels": { "additionalProperties": { "type": "string" }, "description": "ExtraPrometheusRuleLabels defines additional labels for the PrometheusRule objects.", "type": "object" }, "extraServiceMonitorLabels": { "additionalProperties": { "type": "string" }, "description": "ExtraServiceMonitorLabels defines additional labels for the ServiceMonitor objects.", "type": "object" } }, "type": "object", "additionalProperties": false }, "tracing": { "description": "Tracing defines a config for operands.", "properties": { "jaeger_agent_endpoint": { "default": "localhost:6831", "description": "JaegerAgentEndpoint defines the jaeger endpoint data gets send to.\nDeprecated: in favor of OTLPHttpEndpoint.", "type": "string" }, "otlp_http_endpoint": { "description": "OTLPHttpEndpoint defines the OTLP/http endpoint data gets send to.\nFor example, \"http://localhost:4320\".\nThe default OTLP/http port 4318 collides with the distributor ports, therefore it is recommended to use a different port\non the sidecar injected to the Tempo (e.g. 4320).", "type": "string" }, "sampling_fraction": { "description": "SamplingFraction defines the sampling ratio. Valid values are 0 to 1.\nThe SamplingFraction has to be defined to enable tracing.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "replicationFactor": { "description": "The replication factor is a configuration setting that determines how many ingesters need to acknowledge the data from the distributors before accepting a span.", "type": "integer" }, "resources": { "description": "Resources defines resources configuration.", "properties": { "total": { "description": "The total amount of resources for Tempo instance.\nThe operator autonomously splits resources between deployed Tempo components.\nOnly limits are supported, the operator calculates requests automatically.\nSee http://github.com/grafana/tempo/issues/1540.", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "retention": { "description": "Retention period defined by dataset.\nUser can specify how long data should be stored.", "properties": { "global": { "description": "Global is used to configure global retention.", "properties": { "traces": { "description": "Traces defines retention period. Supported parameter suffixes are \"s\", \"m\" and \"h\".\nexample: 336h\ndefault: value is 48h.", "type": "string" } }, "type": "object", "additionalProperties": false }, "perTenant": { "additionalProperties": { "description": "RetentionConfig defines how long data should be provided.", "properties": { "traces": { "description": "Traces defines retention period. Supported parameter suffixes are \"s\", \"m\" and \"h\".\nexample: 336h\ndefault: value is 48h.", "type": "string" } }, "type": "object", "additionalProperties": false }, "description": "PerTenant is used to configure retention per tenant.", "type": "object" } }, "type": "object", "additionalProperties": false }, "search": { "description": "SearchSpec control the configuration for the search capabilities.", "properties": { "defaultResultLimit": { "description": "Limit used for search requests if none is set by the caller (default: 20)", "type": "integer" }, "maxDuration": { "description": "The maximum allowed time range for a search, default: 0s which means unlimited.", "type": "string" }, "maxResultLimit": { "description": "The maximum allowed value of the limit parameter on search requests. If the search request limit parameter\nexceeds the value configured here it will be set to the value configured here.\nThe default value of 0 disables this limit.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "serviceAccount": { "description": "ServiceAccount defines the service account to use for all tempo components.", "type": "string" }, "size": { "description": "Size defines a predefined deployment size profile for this TempoStack.\nThe operator will apply pre-tested resource configurations based on the selected size.\nWhen not set, resources are determined by spec.resources.total or component-level overrides.\nSize also sets a default replication factor (1 for demo, 2 for others) if not explicitly specified.", "enum": [ "1x.demo", "1x.pico", "1x.extra-small", "1x.small", "1x.medium" ], "type": "string" }, "storage": { "description": "Storage defines the spec for the object storage endpoint to store traces.\nUser is required to create secret and supply it.", "properties": { "secret": { "description": "Secret for object storage authentication.\nName of a secret in the same namespace as the TempoStack custom resource.", "properties": { "credentialMode": { "description": "CredentialMode can be used to set the desired credential mode for authenticating with the object storage.\nIf this is not set, then the operator tries to infer the credential mode from the provided secret and its\nown configuration.", "enum": [ "static", "token", "token-cco" ], "type": "string" }, "name": { "description": "Name of a secret in the namespace configured for object storage secrets.", "minLength": 1, "type": "string" }, "type": { "description": "Type of object storage that should be used", "enum": [ "azure", "gcs", "s3" ], "type": "string" } }, "required": [ "name", "type" ], "type": "object", "additionalProperties": false }, "tls": { "description": "TLS configuration for reaching the object storage endpoint.", "properties": { "caName": { "description": "CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).\nIt needs to be in the same namespace as the Tempo custom resource.", "type": "string" }, "certName": { "description": "Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key).\nIt needs to be in the same namespace as the Tempo custom resource.", "type": "string" }, "cipherSuites": { "description": "CipherSuites defines the list of acceptable TLS cipher suites.\n\nIf not set, the ciphers are set based on feature gate tlsProfile or obtained from the cluster if openshift.clusterTLSPolicy is enabled.", "items": { "type": "string" }, "type": "array" }, "enabled": { "description": "Enabled defines if TLS is enabled.", "type": "boolean" }, "minVersion": { "description": "MinVersion defines the minimum acceptable TLS version.\n\nIf not set, the version is set based on feature gate tlsProfile or obtained from the cluster if openshift.clusterTLSPolicy is enabled.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "secret" ], "type": "object", "additionalProperties": false }, "storageClassName": { "description": "StorageClassName for PVCs used by ingester. Defaults to nil (default storage class in the cluster).", "type": "string" }, "storageSize": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "default": "10Gi", "description": "StorageSize for PVCs used by ingester. Defaults to 10Gi.", "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "template": { "description": "Template defines requirements for a set of tempo components.", "properties": { "compactor": { "description": "Compactor defines the tempo compactor component spec.", "properties": { "nodeSelector": { "additionalProperties": { "type": "string" }, "description": "NodeSelector defines the simple form of the node-selection constraint.", "type": "object" }, "podSecurityContext": { "description": "PodSecurityContext defines security context will be applied to all pods of this component.", "properties": { "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "fsGroup": { "description": "A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "fsGroupChangePolicy": { "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "seLinuxChangePolicy": { "description": "seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "seLinuxOptions": { "description": "The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in SecurityContext. If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "supplementalGroups": { "description": "A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified). If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "type": "array", "x-kubernetes-list-type": "atomic" }, "supplementalGroupsPolicy": { "description": "Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "description": "Sysctl defines a kernel parameter to be set", "properties": { "name": { "description": "Name of a property to set", "type": "string" }, "value": { "description": "Value of a property to set", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "replicas": { "description": "Replicas defines the number of replicas to be created for this component.", "format": "int32", "type": "integer", "minimum": -2147483648, "maximum": 2147483647 }, "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "tolerations": { "description": "Tolerations defines component-specific pod tolerations.", "items": { "description": "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator .", "properties": { "effect": { "description": "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", "type": "string" }, "key": { "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.", "type": "string" }, "operator": { "description": "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.", "type": "string" }, "tolerationSeconds": { "description": "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "value": { "description": "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "distributor": { "description": "Distributor defines the distributor component spec.", "properties": { "component": { "description": "TempoComponentSpec is embedded to extend this definition with further options.\n\nCurrently, there is no way to inline this field.\nSee: https://github.com/golang/go/issues/6213", "properties": { "nodeSelector": { "additionalProperties": { "type": "string" }, "description": "NodeSelector defines the simple form of the node-selection constraint.", "type": "object" }, "podSecurityContext": { "description": "PodSecurityContext defines security context will be applied to all pods of this component.", "properties": { "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "fsGroup": { "description": "A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "fsGroupChangePolicy": { "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "seLinuxChangePolicy": { "description": "seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "seLinuxOptions": { "description": "The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in SecurityContext. If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "supplementalGroups": { "description": "A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified). If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "type": "array", "x-kubernetes-list-type": "atomic" }, "supplementalGroupsPolicy": { "description": "Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "description": "Sysctl defines a kernel parameter to be set", "properties": { "name": { "description": "Name of a property to set", "type": "string" }, "value": { "description": "Value of a property to set", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "replicas": { "description": "Replicas defines the number of replicas to be created for this component.", "format": "int32", "type": "integer", "minimum": -2147483648, "maximum": 2147483647 }, "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "tolerations": { "description": "Tolerations defines component-specific pod tolerations.", "items": { "description": "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator .", "properties": { "effect": { "description": "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", "type": "string" }, "key": { "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.", "type": "string" }, "operator": { "description": "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.", "type": "string" }, "tolerationSeconds": { "description": "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "value": { "description": "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "tls": { "description": "TLS defines TLS configuration for distributor receivers\n\nIf openshift feature flag `servingCertsService` is enabled and TLS is enabled but no\ncertName or caName is specified, OpenShift service serving certificates will be used.", "properties": { "caName": { "description": "CA is the name of a ConfigMap containing a CA certificate (service-ca.crt).\nIt needs to be in the same namespace as the Tempo custom resource.", "type": "string" }, "certName": { "description": "Cert is the name of a Secret containing a certificate (tls.crt) and private key (tls.key).\nIt needs to be in the same namespace as the Tempo custom resource.", "type": "string" }, "cipherSuites": { "description": "CipherSuites defines the list of acceptable TLS cipher suites.\n\nIf not set, the ciphers are set based on feature gate tlsProfile or obtained from the cluster if openshift.clusterTLSPolicy is enabled.", "items": { "type": "string" }, "type": "array" }, "enabled": { "description": "Enabled defines if TLS is enabled.", "type": "boolean" }, "minVersion": { "description": "MinVersion defines the minimum acceptable TLS version.\n\nIf not set, the version is set based on feature gate tlsProfile or obtained from the cluster if openshift.clusterTLSPolicy is enabled.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "gateway": { "description": "Gateway defines the tempo gateway spec.", "properties": { "component": { "description": "TempoComponentSpec is embedded to extend this definition with further options.\n\nCurrently there is no way to inline this field.\nSee: https://github.com/golang/go/issues/6213", "properties": { "nodeSelector": { "additionalProperties": { "type": "string" }, "description": "NodeSelector defines the simple form of the node-selection constraint.", "type": "object" }, "podSecurityContext": { "description": "PodSecurityContext defines security context will be applied to all pods of this component.", "properties": { "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "fsGroup": { "description": "A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "fsGroupChangePolicy": { "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "seLinuxChangePolicy": { "description": "seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "seLinuxOptions": { "description": "The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in SecurityContext. If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "supplementalGroups": { "description": "A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified). If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "type": "array", "x-kubernetes-list-type": "atomic" }, "supplementalGroupsPolicy": { "description": "Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "description": "Sysctl defines a kernel parameter to be set", "properties": { "name": { "description": "Name of a property to set", "type": "string" }, "value": { "description": "Value of a property to set", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "replicas": { "description": "Replicas defines the number of replicas to be created for this component.", "format": "int32", "type": "integer", "minimum": -2147483648, "maximum": 2147483647 }, "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "tolerations": { "description": "Tolerations defines component-specific pod tolerations.", "items": { "description": "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator .", "properties": { "effect": { "description": "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", "type": "string" }, "key": { "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.", "type": "string" }, "operator": { "description": "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.", "type": "string" }, "tolerationSeconds": { "description": "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "value": { "description": "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "enabled": { "type": "boolean" }, "ingress": { "description": "Ingress defines gateway Ingress options.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations defines the annotations of the Ingress object.", "type": "object" }, "host": { "description": "Host defines the hostname of the Ingress object.", "type": "string" }, "ingressClassName": { "description": "IngressClassName defines the name of an IngressClass cluster resource.\nDefines which ingress controller serves this ingress resource.", "type": "string" }, "route": { "description": "Route defines the options for the OpenShift route.", "properties": { "termination": { "description": "Termination defines the termination type.\nThe default is \"edge\".", "enum": [ "insecure", "edge", "passthrough", "reencrypt" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type defines the type of Ingress for the Jaeger Query UI.\nCurrently ingress, route and none are supported.", "enum": [ "ingress", "route", "" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "rbac": { "description": "RBAC defines query RBAC options.", "properties": { "enabled": { "description": "Enabled defines if the query RBAC should be enabled.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false }, "ingester": { "description": "Ingester defines the ingester component spec.", "properties": { "nodeSelector": { "additionalProperties": { "type": "string" }, "description": "NodeSelector defines the simple form of the node-selection constraint.", "type": "object" }, "podSecurityContext": { "description": "PodSecurityContext defines security context will be applied to all pods of this component.", "properties": { "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "fsGroup": { "description": "A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "fsGroupChangePolicy": { "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "seLinuxChangePolicy": { "description": "seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "seLinuxOptions": { "description": "The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in SecurityContext. If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "supplementalGroups": { "description": "A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified). If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "type": "array", "x-kubernetes-list-type": "atomic" }, "supplementalGroupsPolicy": { "description": "Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "description": "Sysctl defines a kernel parameter to be set", "properties": { "name": { "description": "Name of a property to set", "type": "string" }, "value": { "description": "Value of a property to set", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "replicas": { "description": "Replicas defines the number of replicas to be created for this component.", "format": "int32", "type": "integer", "minimum": -2147483648, "maximum": 2147483647 }, "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "tolerations": { "description": "Tolerations defines component-specific pod tolerations.", "items": { "description": "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator .", "properties": { "effect": { "description": "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", "type": "string" }, "key": { "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.", "type": "string" }, "operator": { "description": "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.", "type": "string" }, "tolerationSeconds": { "description": "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "value": { "description": "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "querier": { "description": "Querier defines the querier component spec.", "properties": { "nodeSelector": { "additionalProperties": { "type": "string" }, "description": "NodeSelector defines the simple form of the node-selection constraint.", "type": "object" }, "podSecurityContext": { "description": "PodSecurityContext defines security context will be applied to all pods of this component.", "properties": { "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "fsGroup": { "description": "A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "fsGroupChangePolicy": { "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "seLinuxChangePolicy": { "description": "seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "seLinuxOptions": { "description": "The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in SecurityContext. If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "supplementalGroups": { "description": "A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified). If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "type": "array", "x-kubernetes-list-type": "atomic" }, "supplementalGroupsPolicy": { "description": "Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "description": "Sysctl defines a kernel parameter to be set", "properties": { "name": { "description": "Name of a property to set", "type": "string" }, "value": { "description": "Value of a property to set", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "replicas": { "description": "Replicas defines the number of replicas to be created for this component.", "format": "int32", "type": "integer", "minimum": -2147483648, "maximum": 2147483647 }, "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "tolerations": { "description": "Tolerations defines component-specific pod tolerations.", "items": { "description": "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator .", "properties": { "effect": { "description": "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", "type": "string" }, "key": { "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.", "type": "string" }, "operator": { "description": "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.", "type": "string" }, "tolerationSeconds": { "description": "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "value": { "description": "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "queryFrontend": { "description": "TempoQueryFrontendSpec defines the query frontend spec.", "properties": { "component": { "description": "TempoComponentSpec is embedded to extend this definition with further options.\n\nCurrently there is no way to inline this field.\nSee: https://github.com/golang/go/issues/6213", "properties": { "nodeSelector": { "additionalProperties": { "type": "string" }, "description": "NodeSelector defines the simple form of the node-selection constraint.", "type": "object" }, "podSecurityContext": { "description": "PodSecurityContext defines security context will be applied to all pods of this component.", "properties": { "appArmorProfile": { "description": "appArmorProfile is the AppArmor options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile loaded on the node that should be used.\nThe profile must be preconfigured on the node to work.\nMust match the loaded name of the profile.\nMust be set if and only if type is \"Localhost\".", "type": "string" }, "type": { "description": "type indicates which kind of AppArmor profile will be applied.\nValid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "fsGroup": { "description": "A special supplemental group that applies to all containers in a pod.\nSome volume types allow the Kubelet to change the ownership of that volume\nto be owned by the pod:\n\n1. The owning GID will be the FSGroup\n2. The setgid bit is set (new files created in the volume will be owned by FSGroup)\n3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "fsGroupChangePolicy": { "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume\nbefore being exposed inside Pod. This field will only apply to\nvolume types which support fsGroup based ownership(and permissions).\nIt will have no effect on ephemeral volume types such as: secret, configmaps\nand emptydir.\nValid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "runAsGroup": { "description": "The GID to run the entrypoint of the container process.\nUses runtime default if unset.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "runAsNonRoot": { "description": "Indicates that the container must run as a non-root user.\nIf true, the Kubelet will validate the image at runtime to ensure that it\ndoes not run as UID 0 (root) and fail to start the container if it does.\nIf unset or false, no such validation will be performed.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "boolean" }, "runAsUser": { "description": "The UID to run the entrypoint of the container process.\nDefaults to user specified in image metadata if unspecified.\nMay also be set in SecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence\nfor that container.\nNote that this field cannot be set when spec.os.name is windows.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "seLinuxChangePolicy": { "description": "seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.\nIt has no effect on nodes that do not support SELinux or to volumes does not support SELinux.\nValid values are \"MountOption\" and \"Recursive\".\n\n\"Recursive\" means relabeling of all files on all Pod volumes by the container runtime.\nThis may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.\n\n\"MountOption\" mounts all eligible Pod volumes with `-o context` mount option.\nThis requires all Pods that share the same volume to use the same SELinux label.\nIt is not possible to share the same volume among privileged and unprivileged Pods.\nEligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes\nwhose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their\nCSIDriver instance. Other volumes are always re-labelled recursively.\n\"MountOption\" value is allowed only when SELinuxMount feature gate is enabled.\n\nIf not specified and SELinuxMount feature gate is enabled, \"MountOption\" is used.\nIf not specified and SELinuxMount feature gate is disabled, \"MountOption\" is used for ReadWriteOncePod volumes\nand \"Recursive\" for all other volumes.\n\nThis field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.\n\nAll Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "seLinuxOptions": { "description": "The SELinux context to be applied to all containers.\nIf unspecified, the container runtime will allocate a random SELinux context for each\ncontainer. May also be set in SecurityContext. If set in\nboth SecurityContext and PodSecurityContext, the value specified in SecurityContext\ntakes precedence for that container.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "level": { "description": "Level is SELinux level label that applies to the container.", "type": "string" }, "role": { "description": "Role is a SELinux role label that applies to the container.", "type": "string" }, "type": { "description": "Type is a SELinux type label that applies to the container.", "type": "string" }, "user": { "description": "User is a SELinux user label that applies to the container.", "type": "string" } }, "type": "object", "additionalProperties": false }, "seccompProfile": { "description": "The seccomp options to use by the containers in this pod.\nNote that this field cannot be set when spec.os.name is windows.", "properties": { "localhostProfile": { "description": "localhostProfile indicates a profile defined in a file on the node should be used.\nThe profile must be preconfigured on the node to work.\nMust be a descending path, relative to the kubelet's configured seccomp profile location.\nMust be set if type is \"Localhost\". Must NOT be set for any other type.", "type": "string" }, "type": { "description": "type indicates which kind of seccomp profile will be applied.\nValid options are:\n\nLocalhost - a profile defined in a file on the node should be used.\nRuntimeDefault - the container runtime default profile should be used.\nUnconfined - no profile should be applied.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "supplementalGroups": { "description": "A list of groups applied to the first process run in each container, in\naddition to the container's primary GID and fsGroup (if specified). If\nthe SupplementalGroupsPolicy feature is enabled, the\nsupplementalGroupsPolicy field determines whether these are in addition\nto or instead of any group memberships defined in the container image.\nIf unspecified, no additional groups are added, though group memberships\ndefined in the container image may still be used, depending on the\nsupplementalGroupsPolicy field.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "type": "array", "x-kubernetes-list-type": "atomic" }, "supplementalGroupsPolicy": { "description": "Defines how supplemental groups of the first container processes are calculated.\nValid values are \"Merge\" and \"Strict\". If not specified, \"Merge\" is used.\n(Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled\nand the container runtime must implement support for this feature.\nNote that this field cannot be set when spec.os.name is windows.", "type": "string" }, "sysctls": { "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported\nsysctls (by the container runtime) might fail to launch.\nNote that this field cannot be set when spec.os.name is windows.", "items": { "description": "Sysctl defines a kernel parameter to be set", "properties": { "name": { "description": "Name of a property to set", "type": "string" }, "value": { "description": "Value of a property to set", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "windowsOptions": { "description": "The Windows specific settings applied to all containers.\nIf unspecified, the options within a container's SecurityContext will be used.\nIf set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.\nNote that this field cannot be set when spec.os.name is linux.", "properties": { "gmsaCredentialSpec": { "description": "GMSACredentialSpec is where the GMSA admission webhook\n(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the\nGMSA credential spec named by the GMSACredentialSpecName field.", "type": "string" }, "gmsaCredentialSpecName": { "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", "type": "string" }, "hostProcess": { "description": "HostProcess determines if a container should be run as a 'Host Process' container.\nAll of a Pod's containers must have the same effective HostProcess value\n(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).\nIn addition, if HostProcess is true then HostNetwork must also be set to true.", "type": "boolean" }, "runAsUserName": { "description": "The UserName in Windows to run the entrypoint of the container process.\nDefaults to the user specified in image metadata if unspecified.\nMay also be set in PodSecurityContext. If set in both SecurityContext and\nPodSecurityContext, the value specified in SecurityContext takes precedence.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "replicas": { "description": "Replicas defines the number of replicas to be created for this component.", "format": "int32", "type": "integer", "minimum": -2147483648, "maximum": 2147483647 }, "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "tolerations": { "description": "Tolerations defines component-specific pod tolerations.", "items": { "description": "The pod this Toleration is attached to tolerates any taint that matches\nthe triple using the matching operator .", "properties": { "effect": { "description": "Effect indicates the taint effect to match. Empty means match all taint effects.\nWhen specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", "type": "string" }, "key": { "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys.\nIf the key is empty, operator must be Exists; this combination means to match all values and all keys.", "type": "string" }, "operator": { "description": "Operator represents a key's relationship to the value.\nValid operators are Exists and Equal. Defaults to Equal.\nExists is equivalent to wildcard for value, so that a pod can\ntolerate all taints of a particular category.", "type": "string" }, "tolerationSeconds": { "description": "TolerationSeconds represents the period of time the toleration (which must be\nof effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,\nit is not set, which means tolerate the taint forever (do not evict). Zero and\nnegative values will be treated as 0 (evict immediately) by the system.", "format": "int64", "type": "integer", "minimum": -9223372036854776000, "maximum": 9223372036854776000 }, "value": { "description": "Value is the taint value the toleration matches to.\nIf the operator is Exists, the value should be empty, otherwise just a regular string.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "jaegerQuery": { "description": "JaegerQuery defines options specific to the Jaeger Query component.", "properties": { "authentication": { "description": "Authentication defines the options for the oauth proxy used to protect jaeger UI", "properties": { "enabled": { "description": "Defines if the authentication will be enabled for jaeger UI.", "type": "boolean" }, "resources": { "description": "Resources defines the compute resource requirements of the OAuth Proxy container.\nThe OAuth Proxy performs authentication and authorization of incoming requests to Jaeger UI when multi-tenancy is disabled.", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "sar": { "description": "SAR defines the SAR to be used in the oauth-proxy\ndefault is \"{\"namespace\": \"\", \"resource\": \"pods\", \"verb\": \"get\"}", "type": "string" } }, "type": "object", "additionalProperties": false }, "enabled": { "description": "Enabled defines if the Jaeger Query component should be created.", "type": "boolean" }, "findTracesConcurrentRequests": { "description": "FindTracesConcurrentRequests defines how many concurrent request a single trace search can submit (defaults querier.replicas*2).\nThe search for traces in Jaeger submits limit+1 requests. First requests finds trace IDs and then it fetches\nentire traces by ID. This property allows Jaeger to fetch traces in parallel.\nNote that by default a single Tempo querier can process 20 concurrent search jobs.\nIncreasing this property might require scaling up querier instances, especially on error \"job queue full\"\nSee also Tempo's extraConfig:\nquerier.max_concurrent_queries (20 default)\nquery_frontend.max_outstanding_per_tenant: (2000 default). Increase if the query-frontend returns 429", "type": "integer" }, "ingress": { "description": "Ingress defines the options for the Jaeger Query ingress.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations defines the annotations of the Ingress object.", "type": "object" }, "host": { "description": "Host defines the hostname of the Ingress object.", "type": "string" }, "ingressClassName": { "description": "IngressClassName defines the name of an IngressClass cluster resource.\nDefines which ingress controller serves this ingress resource.", "type": "string" }, "route": { "description": "Route defines the options for the OpenShift route.", "properties": { "termination": { "description": "Termination defines the termination type.\nThe default is \"edge\".", "enum": [ "insecure", "edge", "passthrough", "reencrypt" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": { "description": "Type defines the type of Ingress for the Jaeger Query UI.\nCurrently ingress, route and none are supported.", "enum": [ "ingress", "route", "" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "monitorTab": { "description": "MonitorTab defines the monitor tab configuration.", "properties": { "enabled": { "description": "Enabled enables the monitor tab in the Jaeger console.\nThe PrometheusEndpoint must be configured to enable this feature.", "type": "boolean" }, "prometheusEndpoint": { "description": "PrometheusEndpoint defines the endpoint to the Prometheus instance that contains the span rate, error, and duration (RED) metrics.\nFor instance on OpenShift this is set to https://thanos-querier.openshift-monitoring.svc.cluster.local:9091", "type": "string" }, "redMetricsNamespace": { "description": "REDMetricsNamespace defines the a prefix used retrieve span rate, error, and duration (RED) metrics.", "type": "string" } }, "type": "object", "additionalProperties": false }, "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false }, "servicesQueryDuration": { "description": "ServicesQueryDuration defines how long the services will be available in the services list", "type": "string" }, "tempoQuery": { "description": "TempoQuery defines options specific to the Tempoo Query component.", "properties": { "resources": { "description": "Resources defines resources for this component, this will override the calculated resources derived from total", "properties": { "claims": { "description": "Claims lists the names of resources, defined in spec.resourceClaims,\nthat are used by this container.\n\nThis field depends on the\nDynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.", "items": { "description": "ResourceClaim references one entry in PodSpec.ResourceClaims.", "properties": { "name": { "description": "Name must match the name of one entry in pod.spec.resourceClaims of\nthe Pod where this field is used. It makes that resource available\ninside a container.", "type": "string" }, "request": { "description": "Request is the name chosen for a request in the referenced claim.\nIf empty, everything from the claim is made available, otherwise\nonly the result of this request.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "limits": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Limits describes the maximum amount of compute resources allowed.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" }, "requests": { "additionalProperties": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$", "x-kubernetes-int-or-string": true }, "description": "Requests describes the minimum amount of compute resources required.\nIf Requests is omitted for a container, it defaults to Limits if that is explicitly specified,\notherwise to an implementation-defined value. Requests cannot exceed Limits.\nMore info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "type": "object" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "mcpServer": { "description": "MCPServer defines the MCP (Model Context Protocol) server configuration.\nThe MCP server allows AI assistants to query tracing data.", "properties": { "enabled": { "description": "Enabled defines if the MCP (Model Context Protocol) server should be enabled.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tenants": { "description": "Tenants defines the per-tenant authentication and authorization spec.", "properties": { "authentication": { "description": "Authentication defines the tempo-gateway component authentication configuration spec per tenant.", "items": { "description": "AuthenticationSpec defines the oidc configuration per tenant for tempo Gateway component.", "properties": { "oidc": { "description": "OIDC defines the spec for the OIDC tenant's authentication.", "properties": { "groupClaim": { "description": "Group claim field from ID Token", "type": "string" }, "issuerURL": { "description": "IssuerURL defines the URL for issuer.", "type": "string" }, "redirectURL": { "description": "RedirectURL defines the URL for redirect.", "type": "string" }, "secret": { "description": "Secret defines the spec for the clientID, clientSecret and issuerCAPath for tenant's authentication.", "properties": { "name": { "description": "Name of a secret in the namespace configured for tenant secrets.", "type": "string" } }, "type": "object", "additionalProperties": false }, "usernameClaim": { "description": "User claim field from ID Token", "type": "string" } }, "type": "object", "additionalProperties": false }, "tenantId": { "description": "TenantID defines a universally unique identifier of the tenant.\nUnlike the tenantName, which must be unique at a given time, the tenantId must be unique over the entire lifetime of the Tempo deployment.\nTempo uses this ID to prefix objects in the object storage.", "type": "string" }, "tenantName": { "description": "TenantName defines a human readable, unique name of the tenant.\nThe value of this field must be specified in the X-Scope-OrgID header and in the resources field of a ClusterRole to identify the tenant.", "type": "string" } }, "required": [ "tenantId", "tenantName" ], "type": "object", "additionalProperties": false }, "type": "array" }, "authorization": { "description": "Authorization defines the tempo-gateway component authorization configuration spec per tenant.", "properties": { "roleBindings": { "description": "RoleBindings defines configuration to bind a set of roles to a set of subjects.", "items": { "description": "RoleBindingsSpec binds a set of roles to a set of subjects.", "properties": { "name": { "type": "string" }, "roles": { "items": { "type": "string" }, "type": "array" }, "subjects": { "items": { "description": "Subject represents a subject that has been bound to a role.", "properties": { "kind": { "description": "SubjectKind is a kind of Tempo Gateway RBAC subject.", "enum": [ "user", "group" ], "type": "string" }, "name": { "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "name", "roles", "subjects" ], "type": "object", "additionalProperties": false }, "type": "array" }, "roles": { "description": "Roles defines a set of permissions to interact with a tenant.", "items": { "description": "RoleSpec describes a set of permissions to interact with a tenant.", "properties": { "name": { "type": "string" }, "permissions": { "items": { "description": "PermissionType is a Tempo Gateway RBAC permission.", "enum": [ "read", "write" ], "type": "string" }, "type": "array" }, "resources": { "items": { "type": "string" }, "type": "array" }, "tenants": { "items": { "type": "string" }, "type": "array" } }, "required": [ "name", "permissions", "resources", "tenants" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "mode": { "default": "static", "description": "Mode defines the multitenancy mode.", "enum": [ "static", "openshift" ], "type": "string" } }, "required": [ "mode" ], "type": "object", "additionalProperties": false }, "timeout": { "description": "Timeout configures the same timeout on all components starting at ingress down to the ingestor/querier.\nTimeout configuration on a specific component has a higher precedence.\nDefaults to 30 seconds.", "type": "string" } }, "required": [ "managementState", "storage" ], "type": "object", "additionalProperties": false }, "status": { "description": "TempoStackStatus defines the observed state of TempoStack.", "properties": { "components": { "description": "Components provides summary of all Tempo pod status grouped\nper component.", "properties": { "compactor": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "description": "Compactor is a map to the pod status of the compactor pod.", "type": "object" }, "distributor": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "description": "Distributor is a map to the per pod status of the distributor deployment", "type": "object" }, "gateway": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "description": "Gateway is a map to the per pod status of the query frontend deployment", "type": "object" }, "ingester": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "description": "Ingester is a map to the per pod status of the ingester statefulset", "type": "object" }, "querier": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "description": "Querier is a map to the per pod status of the querier deployment", "type": "object" }, "queryFrontend": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "description": "QueryFrontend is a map to the per pod status of the query frontend deployment", "type": "object" } }, "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions of the Tempo deployment health.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer", "maximum": 9223372036854776000 }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "operatorVersion": { "description": "Version of the Tempo Operator.", "type": "string" }, "tempoQueryVersion": { "description": "DEPRECATED. Version of the Tempo Query component used.", "type": "string" }, "tempoVersion": { "description": "Version of the managed Tempo instance.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false, "$schema": "http://json-schema.org/draft-04/schema#" }