Manifest
A manifest is a YAML or JSON file that defines one or more resources to be created and managed by Kubernetes. These files serve as the blueprint for the system to understand what the user wishes to create, modify, or delete. They include specifications such as metadata (names and labels), desired states, resource types, and specifics concerning the deployment configuration.
Manifests are used to declare configurations for applications and services in a Kubernetes cluster. They are vital for defining resources, version control, automation, cluster management, customisation, and extensibility.
Configuration
OBLV Deploy leverages these manifests to ensure that all components are correctly instantiated, configured, and maintained. Below you will find an example manifest.yaml file, and all its content broken down into parts, along with descriptions and a flag defining the required properties.
Manifest Example
Ensure all Manifest components are accurately defined to facilitate seamless integration and operation. Use the schema below as a model to create your own Manifest:
Manifest schema
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: nitroenclavedeployments.k8s.oblv.com
spec:
group: k8s.oblv.com
names:
kind: NitroEnclaveDeployment
plural: nitroenclavedeployments
singular: nitroenclavedeployment
shortNames:
- ned
scope: Namespaced
versions:
- name: v1alpha1
additionalPrinterColumns:
- jsonPath: .status.ready
name: Ready
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.status
name: Status
type: string
schema:
openAPIV3Schema:
description: "NitrEnclaveDeployment is the Schema for the nitroenclavedeployments API"
properties:
apiVersion:
description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources"
type: string
kind:
type: string
description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"
metadata:
type: object
spec:
description: "NitroDeployment spec defines the desired state of NitroDeployment"
properties:
instanceType:
description: "The instance type. For more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) in the Amazon EC2 User Guide. \n Default: m1.small"
type: string
subnetID:
description: "[EC2-VPC] The ID of the subnet to launch the instance into. \n If you specify a network interface, you must specify any subnets as part of the network interface."
type: string
tags:
description: The tags. The value parameter is required, but if you don't want the tag to have a value, specify the parameter with no value, and we set the value to an empty string.
items:
description: Describes a tag.
properties:
key:
type: string
value:
type: string
type: object
type: array
keyName:
description: "The name of the key pair. You can create a key pair using CreateKeyPair (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html) or ImportKeyPair (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html). \n If you do not specify a key pair, you can't connect to the instance unless you choose an AMI that is configured to allow users another way to log in."
type: string
securityGroupIDs:
description: "The IDs of the security groups. You can create a security group using CreateSecurityGroup (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html). \n If you specify a network interface, you must specify any security groups as part of the network interface."
items:
type: string
type: array
replicaCount:
description: "The number of replicas to launch in the enclave. \n Default: 1"
type: integer
minimum: 1
internetFacing:
description: "Whether to expose the cluster to the internet. \n Default: false"
type: boolean
serviceDomainName:
description: "The domain at which the cluster should be accessibe at. example: mycluster.example.com"
type: string
tlsCertificate:
description: "The TLS certificate to use for the inbound Proxy. The certificate must be in PEM format."
type: object
properties:
secretName:
type: string
secretKey:
type: string
required:
- secretName
- secretKey
enclaveSpec:
type: object
description: Specification for the nitro enclave instance
properties:
containers:
type: array
items:
description: Configuration for the user container
type: object
properties:
name:
type: string
image:
type: string
imagePullSecret:
type: string
ports:
description: List of port mappings for the user container
type: array
items:
type: object
properties:
hostPort:
type: integer
minimum: 1
maximum: 65535
containerPort:
type: integer
minimum: 1
maximum: 65535
required:
- containerPort
volumes:
description: List of volumes to be mounted to the user container
type: array
items:
type: object
properties:
name:
type: string
containerPath:
type: string
readOnly:
type: boolean
source:
type: object
properties:
hostPath:
type: string
configMap:
type: object
properties:
name:
type: string
items:
type: array
items:
type: object
properties:
key:
type: string
path:
type: string
required:
- key
- path
required:
- name
oneOf:
- required:
- hostPath
- required:
- configMap
required:
- containerPath
- source
- readOnly
- name
env:
description: List of environment variables for the user container
type: array
items:
type: object
properties:
name:
type: string
value:
type: string
valueFrom:
type: object
properties:
configMapKeyRef:
type: object
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
- name
secretKeyRef:
type: object
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
- name
required:
- name
outboundConnections:
description: List of outbound connections to be allowed from the user container
type: array
items:
type: object
properties:
fqdn:
type: object
properties:
value:
type: string
configmap:
type: object
properties:
name:
type: string
key:
type: string
type:
type: string
enum:
- yaml
- json
- toml
- ini
ref:
type: string
pattern: ^([a-zA-Z0-9-]+#)*[a-zA-Z0-9-]+$
oneOf:
- required:
- value
- required:
- configmap
redirects:
type: boolean
port:
type: integer
minimum: 1
maximum: 65535
tls:
type: boolean
required:
- fqdn
- redirects
command:
type: array
items:
type: string
args:
type: array
items:
type: string
securityContext:
description: Describes the security context for the user container
type: object
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
type: object
properties:
add:
type: array
items:
type: string
drop:
type: array
items:
type: string
privileged:
type: boolean
readOnlyRootFilesystem:
type: boolean
runAsGroup:
type: integer
runAsNonRoot:
type: boolean
runAsUser:
type: integer
seLinuxOptions:
type: object
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
seccompProfile:
type: object
properties:
type:
type: string
localhostProfile:
type: string
required:
- type
required:
- name
- image
tags:
type: array
items:
description: Tag schema for common components
type: object
properties:
key:
type: string
value:
type: string
required:
- key
- value
plugins:
type: object
properties:
auth:
description: Configuration of auth plugin
type: object
properties:
spec:
type: object
properties:
ports:
description: List of port mappings for the auth plugin container
type: array
items:
type: object
properties:
hostPort:
type: integer
minimum: 1
maximum: 65535
containerPort:
type: integer
minimum: 1
maximum: 65535
required:
- containerPort
volumes:
description: List of volumes to be mounted to the auth plugin container
type: array
items:
type: object
properties:
name:
type: string
containerPath:
type: string
readOnly:
type: boolean
source:
type: object
properties:
hostPath:
type: string
configMap:
type: object
properties:
name:
type: string
items:
type: array
items:
type: object
properties:
key:
type: string
path:
type: string
required:
- key
- path
required:
- name
oneOf:
- required:
- hostPath
- required:
- configMap
required:
- containerPath
- source
- readOnly
- name
outboundConnections:
description: List of outbound connections to be allowed from the auth plugin container
type: array
items:
type: object
properties:
fqdn:
type: object
properties:
value:
type: string
configmap:
type: object
properties:
name:
type: string
key:
type: string
type:
type: string
enum:
- yaml
- json
- toml
- ini
ref:
type: string
pattern: ^([a-zA-Z0-9-]+#)*[a-zA-Z0-9-]+$
oneOf:
- required:
- value
- required:
- configmap
redirects:
type: boolean
port:
type: integer
minimum: 1
maximum: 65535
tls:
type: boolean
required:
- fqdn
- redirects
env:
description: List of environment variables for the auth plugin container
type: array
items:
type: object
properties:
name:
type: string
value:
type: string
valueFrom:
type: object
properties:
configMapKeyRef:
type: object
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
- name
secretKeyRef:
type: object
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
- name
required:
- name
resources:
description: Resources Privilege (cpu|ram) for the auth plugin container
type: object
properties:
cpu:
type: string
pattern: ^[0-9]+(m)?$
description: Amount of CPU. e.g., '100m' represents 0.1 CPU.
ram:
type: string
pattern: ^[0-9]+(Mi|Gi)?$
description: Amount of RAM. e.g., '512Mi' represents 512 Mebibytes.
anyOf:
- required:
- cpu
- required:
- ram
command:
type: array
items:
type: string
args:
type: array
items:
type: string
securityContext:
description: Describes the security context for the auth plugin container
type: object
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
type: object
properties:
add:
type: array
items:
type: string
drop:
type: array
items:
type: string
privileged:
type: boolean
readOnlyRootFilesystem:
type: boolean
runAsGroup:
type: integer
runAsNonRoot:
type: boolean
runAsUser:
type: integer
seLinuxOptions:
type: object
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
seccompProfile:
type: object
properties:
type:
type: string
localhostProfile:
type: string
required:
- type
kind:
type: string
name:
type: string
inheritFrom:
type: string
description: The name of the auth plugin resource to inherit from
image:
type: string
imagePullSecret:
type: string
required:
- kind
- name
- image
logging:
description: Configuration of logging plugin
type: object
properties:
spec:
type: object
properties:
volumes:
description: List of volumes to be mounted to the logging plugin container
type: array
items:
type: object
properties:
name:
type: string
containerPath:
type: string
readOnly:
type: boolean
source:
type: object
properties:
hostPath:
type: string
configMap:
type: object
properties:
name:
type: string
items:
type: array
items:
type: object
properties:
key:
type: string
path:
type: string
required:
- key
- path
required:
- name
oneOf:
- required:
- hostPath
- required:
- configMap
required:
- containerPath
- source
- readOnly
- name
logsAccess:
type: string
description: Containers to listen to stdout/stderr of (main/plugins/all).
enum:
- main
- plugins
- all
outboundConnections:
description: List of outbound connections to be allowed from the logging plugin container
type: array
items:
type: object
properties:
fqdn:
type: object
properties:
value:
type: string
configmap:
type: object
properties:
name:
type: string
key:
type: string
type:
type: string
enum:
- yaml
- json
- toml
- ini
ref:
type: string
pattern: ^([a-zA-Z0-9-]+#)*[a-zA-Z0-9-]+$
oneOf:
- required:
- value
- required:
- configmap
redirects:
type: boolean
port:
type: integer
minimum: 1
maximum: 65535
tls:
type: boolean
required:
- fqdn
- redirects
env:
description: List of environment variables for the logging plugin container
type: array
items:
type: object
properties:
name:
type: string
value:
type: string
valueFrom:
type: object
properties:
configMapKeyRef:
type: object
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
- name
secretKeyRef:
type: object
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
- name
required:
- name
command:
type: array
items:
type: string
args:
type: array
items:
type: string
securityContext:
description: Describes the security context for the logging plugin container
type: object
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
type: object
properties:
add:
type: array
items:
type: string
drop:
type: array
items:
type: string
privileged:
type: boolean
readOnlyRootFilesystem:
type: boolean
runAsGroup:
type: integer
runAsNonRoot:
type: boolean
runAsUser:
type: integer
seLinuxOptions:
type: object
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
seccompProfile:
type: object
properties:
type:
type: string
localhostProfile:
type: string
required:
- type
kind:
type: string
name:
type: string
inheritFrom:
type: string
description: The name of the logging plugin resource to inherit from
image:
type: string
imagePullSecret:
type: string
required:
- kind
- name
- image
proxy:
description: Configuration of proxy plugin
type: object
properties:
spec:
type: object
properties:
ports:
description: List of port mappings for the proxy plugin container
type: array
items:
type: object
properties:
hostPort:
type: integer
minimum: 1
maximum: 65535
containerPort:
type: integer
minimum: 1
maximum: 65535
required:
- containerPort
outboundConnections:
description: List of outbound connections to be allowed from the proxy plugin container
type: array
items:
type: object
properties:
fqdn:
type: object
properties:
value:
type: string
configmap:
type: object
properties:
name:
type: string
key:
type: string
type:
type: string
enum:
- yaml
- json
- toml
- ini
ref:
type: string
pattern: ^([a-zA-Z0-9-]+#)*[a-zA-Z0-9-]+$
oneOf:
- required:
- value
- required:
- configmap
redirects:
type: boolean
port:
type: integer
minimum: 1
maximum: 65535
tls:
type: boolean
required:
- fqdn
- redirects
command:
type: array
items:
type: string
args:
type: array
items:
type: string
securityContext:
description: Describes the security context for the proxy plugin container
type: object
properties:
allowPrivilegeEscalation:
type: boolean
capabilities:
type: object
properties:
add:
type: array
items:
type: string
drop:
type: array
items:
type: string
privileged:
type: boolean
readOnlyRootFilesystem:
type: boolean
runAsGroup:
type: integer
runAsNonRoot:
type: boolean
runAsUser:
type: integer
seLinuxOptions:
type: object
properties:
level:
type: string
role:
type: string
type:
type: string
user:
type: string
seccompProfile:
type: object
properties:
type:
type: string
localhostProfile:
type: string
required:
- type
kind:
type: string
name:
type: string
inheritFrom:
type: string
description: The name of the plugin to inherit from
image:
type: string
imagePullSecret:
type: string
required:
- kind
- name
- image
required:
- containers
- plugins
required:
- instanceType
- subnetID
- enclaveSpec
- tlsCertificate
type: object
status:
description: "NitroDeploymentStatus defines the observed state of NitroDeployment"
properties:
proxyDeploymentName:
description: "The name of the deployment that is running the inbound proxy"
type: string
ready:
description: "The number of replicas that are ready"
type: string
status:
description: "Overall status of the deployment"
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
openAPIV3Schema
The openAPIV3Schema defines the schema for the API of nitroenclavedeployments. The schema requires the following properties:
| Property | Type | Required | Description |
|---|---|---|---|
| apiVersion | string |  | Specifies the API version. This field informs the Kubernetes API server of the schema version of this object, which is crucial for data serialisation and deserialisation processes. |
| kind | string | | Indicates the type of the resource in CamelCase. This field helps the server process the object based on the REST resource it represents and is fixed once set. |
| metadata | string |  | Contains metadata about the resource, such as labels and annotations. For additional details, you can refer to the Kubernetes documentation on Object Metadata. |
| spec | object | | Describes the desired specifications of the NitroDeployment, detailing what the configuration should achieve. |
| status | object | | Provides the current observed state of the NitroDeployment, automatically updated by the system to reflect real-time information. |
Spec Properties
The spec property outlines the desired state of a NitroDeployment, involving configurations that dictate how the deployment should be established:
| Property | Type | Required | Description |
|---|---|---|---|
| instanceType | string | | Specifies the EC2 instance type. Refer to Instance types for more details. Default: m1.small. |
| subnetID | string | | Identifies the VPC subnet for instance launch. This is necessary if a network interface is specified, and all subnets must be defined in the network interface context. |
| tags | array | | Tags assigned to the deployment. Each tag requires a value; if omitted, it defaults to an empty string. |
| keyName | string | | Names an EC2 key pair for instance access. Key pairs can be created via CreateKeyPair or imported via ImportKeyPair. |
| securityGroupIDs | array | | Lists security group IDs. Security groups can be specified as part of a network interface if required, and can be created using CreateSecurityGroup. |
| replicaCount | integer | | Determines the number of replicas to be launched in the enclave. Default: 1. |
| internetFacing | boolean | | Controls whether the cluster is accessible over the internet. Default: false. |
| serviceDomainName | string | | Defines the domain where the cluster should be accessible. Example: mycluster.example.com. |
| tlsCertificate | object | | Specifies the TLS certificate in PEM format for the inbound proxy. |
| enclaveSpec | object | | Provides the detailed specifications for the Nitro Enclave instance, including container and plugin configurations. |
Enclave Specification
The enclaveSpec property details the required configurations for the efficient operation of a Nitro Enclave instance:
| Property | Type | Required | Description |
|---|---|---|---|
| containers | array | | An array of container configurations. Each container configuration includes details such as port mappings, volumes, environment variables, outbound connections, and security context. |
| tags | array | | Defines tags for common components within the enclave. |
| plugins | object | | Specifies plugin configurations within the enclave, detailing each plugin's ports, volumes, outbound connections, environment variables, resources, and security context. |
Containers
The containers array includes configurations for user containers within the Nitro Enclave. Each container can be specifically configured as follows:
| Property | Type | Description |
|---|---|---|
| items | object | Defines the configuration details for each container, encapsulating its entire setup. |
| ports | array | Specifies a list of port mappings, determining which ports are open and their mappings inside the container. |
| volumes | array | Lists volumes to be mounted within the container, providing storage and data persistence options. |
| env | array | Enumerates environment variables to be set in the container, crucial for configuration and runtime settings. |
| outboundConnections | array | Defines the outbound connections that are permitted from the container, ensuring controlled external access. |
| securityContext | object | Details the security settings for the container, such as permissions and other security-enhancing measures. |
Plugins
The plugins object details configurations for each plugin contained within the enclave. Each plugin configuration may include:
| Property | Type | Description |
|---|---|---|
| ports | array | Outlines the port mappings for the plugin container, essential for network traffic management. |
| volumes | array | Describes the volumes that are mounted to the plugin container, necessary for data handling and persistence. |
| outboundConnections | array | Specifies allowed outbound connections for the plugin container, which is critical for interacting with external services. |
| env | array | Lists environment variables set within the plugin container, which are pivotal for its operation and integration. |
| resources | object | Details the resources allocated to the plugin container, such as CPU and RAM, ensuring adequate performance. |
| securityContext | object | Provides the security context for the plugin container, focusing on securing access and operations within it. |
| inheritFrom | string | Names the resource from which the plugin container inherits configurations, promoting reusability and consistency. |
Status
The status object provides insight into the current observed state of the NitroDeployment:
| Property | Type | Description |
|---|---|---|
| proxyDeploymentName | string | Identifies the deployment managing the inbound proxy. |
| ready | string | Displays the number of ready replicas. |
| status | string | Describes the overall status of the deployment, such as Active, Pending, or Failed. |
What's Next?
For additional information about how OBLV Deploy uses manifests, access the Deployment page.