Skip to content

NAIS Job reference

This document describes all possible configuration values in the Naisjob spec.

accessPolicy

By default, no traffic is allowed between naisjobs inside the cluster. Configure access policies to explicitly allow communication between naisjobs. This is also used for granting inbound access in the context of Azure AD and TokenX clients.

Relevant information:

Type: object
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3

accessPolicy.inbound

Configures inbound access for your application.

Type: object
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3

accessPolicy.inbound.rules

List of NAIS applications that may access your application. These settings apply both to Zero Trust network connectivity and token validity for Azure AD and TokenX tokens.

Type: array
Required: true

Example
spec:
  accessPolicy:
    inbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3
accessPolicy.inbound.rules[].application

The application's name.

Type: string
Required: true

Example
spec:
  accessPolicy:
    inbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3
accessPolicy.inbound.rules[].cluster

The application's cluster. May be omitted if it should be in the same cluster as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3
accessPolicy.inbound.rules[].namespace

The application's namespace. May be omitted if it should be in the same namespace as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    inbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3

accessPolicy.outbound

Configures outbound access for your application.

Type: object
Required: false

Example
spec:
  accessPolicy:
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3

accessPolicy.outbound.external

List of external resources that your applications should be able to reach.

Type: array
Required: false
Availability: GCP

Example
spec:
  accessPolicy:
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP
accessPolicy.outbound.external[].host

The host that your application should be able to reach, i.e. without the protocol (e.g. https://).

Type: string
Required: true

Example
spec:
  accessPolicy:
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP
accessPolicy.outbound.external[].ports

List of port rules for external communication. Must be specified if using protocols other than HTTPS.

Type: array
Required: false

Example
spec:
  accessPolicy:
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP
accessPolicy.outbound.external[].ports[].name

Human-readable identifier for this rule.

Type: string
Required: true

Example
spec:
  accessPolicy:
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP
accessPolicy.outbound.external[].ports[].port

The port used for communication.

Type: integer
Required: true

Example
spec:
  accessPolicy:
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP
accessPolicy.outbound.external[].ports[].protocol

The protocol used for communication.

Type: enum
Required: true
Allowed values: GRPC, HTTP, HTTP2, HTTPS, MONGO, TCP, TLS

Example
spec:
  accessPolicy:
    outbound:
      external:
      - host: external-application.example.com
      - host: non-http-service.example.com
        ports:
        - name: kafka
          port: 9200
          protocol: TCP

accessPolicy.outbound.rules

List of NAIS applications that your application needs to access. These settings apply to Zero Trust network connectivity.

Type: array
Required: false

Example
spec:
  accessPolicy:
    outbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3
accessPolicy.outbound.rules[].application

The application's name.

Type: string
Required: true

Example
spec:
  accessPolicy:
    outbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3
accessPolicy.outbound.rules[].cluster

The application's cluster. May be omitted if it should be in the same cluster as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    outbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3
accessPolicy.outbound.rules[].namespace

The application's namespace. May be omitted if it should be in the same namespace as your application.

Type: string
Required: false

Example
spec:
  accessPolicy:
    outbound:
      rules:
      - application: app1
      - application: app2
        namespace: q1
      - application: app3
        cluster: dev-gcp
        namespace: q2
      - application: '*'
        namespace: q3

activeDeadlineSeconds

Once a Naisjob reaches activeDeadlineSeconds, all of its running Pods are terminated and the Naisjob status will become type: Failed with reason: DeadlineExceeded. If set, this takes presedence over BackoffLimit.

Type: integer
Required: false

Example
spec:
  activeDeadlineSeconds: 60

azure

Provisions and configures Azure resources.

Type: object
Required: false

Example
spec:
  azure:
    application:
      claims:
        extra:
        - NAVident
        - azp_name
        groups:
        - id: 00000000-0000-0000-0000-000000000000
      enabled: true
      replyURLs:
      - https://myapplication.nav.no/oauth2/callback
      tenant: nav.no

azure.application

Configures an Azure AD client for this application. See Azure AD for more details.

Type: object
Required: true

Example
spec:
  azure:
    application:
      claims:
        extra:
        - NAVident
        - azp_name
        groups:
        - id: 00000000-0000-0000-0000-000000000000
      enabled: true
      replyURLs:
      - https://myapplication.nav.no/oauth2/callback
      tenant: nav.no

azure.application.claims

Claims defines additional configuration of the emitted claims in tokens returned to the Azure AD application.

Type: object
Required: false

Example
spec:
  azure:
    application:
      claims:
        extra:
        - NAVident
        - azp_name
        groups:
        - id: 00000000-0000-0000-0000-000000000000
azure.application.claims.extra

Extra is a list of additional claims to be mapped from an associated claim-mapping policy.

Type: array
Required: false

Example
spec:
  azure:
    application:
      claims:
        extra:
        - NAVident
        - azp_name
azure.application.claims.groups

Groups is a list of Azure AD group IDs to be emitted in the 'Groups' claim.

Type: array
Required: false

Example
spec:
  azure:
    application:
      claims:
        groups:
        - id: 00000000-0000-0000-0000-000000000000
azure.application.claims.groups[].id

ID is the actual object ID associated with the given group in Azure AD.

Type: string
Required: false

Example
spec:
  azure:
    application:
      claims:
        groups:
        - id: 00000000-0000-0000-0000-000000000000

azure.application.enabled

Whether to enable provisioning of an Azure AD application. If enabled, an Azure AD application will be provisioned.

Type: boolean
Required: true
Default value: false

Example
spec:
  azure:
    application:
      enabled: true

azure.application.replyURLs

ReplyURLs is a list of allowed redirect URLs used when performing OpenID Connect flows for authenticating end-users.

Relevant information:

Type: array
Required: false

Example
spec:
  azure:
    application:
      replyURLs:
      - https://myapplication.nav.no/oauth2/callback

azure.application.tenant

A Tenant represents an organization in Azure AD. If unspecified, will default to trygdeetaten.no for development clusters and nav.no for production clusters.

Relevant information:

Type: enum
Required: false
Allowed values: nav.no, trygdeetaten.no

Example
spec:
  azure:
    application:
      tenant: nav.no

backoffLimit

Specify the number of retries before considering a Naisjob as failed

Type: integer
Required: false
Default value: 6

Example
spec:
  backoffLimit: 5

command

Override command when starting Docker image.

Type: array
Required: false

Example
spec:
  command:
  - /app/myapplication
  - --param
  - value
  - --other-param
  - other-value

elastic

Type: object
Required: false

Example
spec:
  elastic:
    instance: my-elastic-instance

elastic.instance

Provisions an Elasticsearch instance and configures your application so it can access it. Use the instance_name that you specified in the navikt/aiven-iac repository.

Type: string
Required: true
Availability: GCP

Example
spec:
  elastic:
    instance: my-elastic-instance

env

Custom environment variables injected into your container. Specify either value or valueFrom, but not both.

Type: array
Required: false

Example
spec:
  env:
  - name: MY_CUSTOM_VAR
    value: some_value
  - name: MY_APPLICATION_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name

env[].name

Environment variable name. May only contain letters, digits, and the underscore _ character.

Type: string
Required: true

Example
spec:
  env:
  - name: MY_CUSTOM_VAR
    value: some_value
  - name: MY_APPLICATION_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name

env[].value

Environment variable value. Numbers and boolean values must be quoted. Required unless valueFrom is specified.

Type: string
Required: false

Example
spec:
  env:
  - name: MY_CUSTOM_VAR
    value: some_value
  - name: MY_APPLICATION_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name

env[].valueFrom

Dynamically set environment variables based on fields found in the Pod spec.

Relevant information:

Type: object
Required: false

Example
spec:
  env:
  - name: MY_CUSTOM_VAR
    value: some_value
  - name: MY_APPLICATION_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name

env[].valueFrom.fieldRef

Type: object
Required: true

Example
spec:
  env:
  - name: MY_CUSTOM_VAR
    value: some_value
  - name: MY_APPLICATION_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
env[].valueFrom.fieldRef.fieldPath

Field value from the Pod spec that should be copied into the environment variable.

Type: enum
Required: true
Allowed values: (empty string), metadata.annotations, metadata.labels, metadata.name, metadata.namespace, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP

Example
spec:
  env:
  - name: MY_CUSTOM_VAR
    value: some_value
  - name: MY_APPLICATION_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name

envFrom

EnvFrom exposes all variables in the ConfigMap or Secret resources as environment variables. One of configMap or secret is required. Environment variables will take the form KEY=VALUE, where key is the ConfigMap or Secret key. You can specify as many keys as you like in a single ConfigMap or Secret. The ConfigMap and Secret resources must live in the same Kubernetes namespace as the Naisjob resource.

Type: array
Required: false
Availability: team namespaces

Example
spec:
  envFrom:
  - secret: my-secret-with-envs
  - configmap: my-configmap-with-envs

envFrom[].configmap

Name of the ConfigMap where environment variables are specified. Required unless secret is set.

Type: string
Required: false

Example
spec:
  envFrom:
  - secret: my-secret-with-envs
  - configmap: my-configmap-with-envs

envFrom[].secret

Name of the Secret where environment variables are specified. Required unless configMap is set.

Type: string
Required: false

Example
spec:
  envFrom:
  - secret: my-secret-with-envs
  - configmap: my-configmap-with-envs

failedJobsHistoryLimit

Specify how many failed Jobs should be kept.

Type: integer
Required: false
Default value: 1

Example
spec:
  failedJobsHistoryLimit: 2

filesFrom

List of ConfigMap or Secret resources that will have their contents mounted into the containers as files. Either configMap or secret is required. Files will take the path <mountPath>/<key>, where key is the ConfigMap or Secret key. You can specify as many keys as you like in a single ConfigMap or Secret, and they will all be mounted to the same directory. The ConfigMap and Secret resources must live in the same Kubernetes namespace as the Naisjob resource.

Type: array
Required: false
Availability: team namespaces

Example
spec:
  filesFrom:
  - configmap: example-files-configmap
    mountPath: /var/run/configmaps
  - mountPath: /var/run/secrets
    secret: my-secret-file

filesFrom[].configmap

Name of the ConfigMap that contains files that should be mounted into the container. Required unless secret is set.

Type: string
Required: false

Example
spec:
  filesFrom:
  - configmap: example-files-configmap
    mountPath: /var/run/configmaps
  - mountPath: /var/run/secrets
    secret: my-secret-file

filesFrom[].mountPath

Filesystem path inside the pod where files are mounted. The directory will be created if it does not exist. If the directory exists, any files in the directory will be made unaccessible. Defaults to /var/run/configmaps/<NAME> or /var/run/secrets, depending on which of them is specified.

Type: string
Required: false

Example
spec:
  filesFrom:
  - configmap: example-files-configmap
    mountPath: /var/run/configmaps
  - mountPath: /var/run/secrets
    secret: my-secret-file

filesFrom[].secret

Name of the Secret that contains files that should be mounted into the container. Required unless configMap is set. If mounting multiple secrets, mountPath MUST be set to avoid collisions.

Type: string
Required: false

Example
spec:
  filesFrom:
  - configmap: example-files-configmap
    mountPath: /var/run/configmaps
  - mountPath: /var/run/secrets
    secret: my-secret-file

gcp

Type: object
Required: false
Availability: GCP

Example
spec:
  gcp:
    bigQueryDatasets:
    - cascadingDelete: true
      description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset1
      permission: READWRITE
    - description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset2
      permission: READ
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30
    permissions:
    - resource:
        apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
        kind: Project
        name: myteam-dev-ab23
      role: roles/cloudsql.client
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.bigQueryDatasets

Provision BigQuery datasets and give your application's pod mountable secrets for connecting to each dataset. Datasets are immutable and cannot be changed.

Relevant information:

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    bigQueryDatasets:
    - cascadingDelete: true
      description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset1
      permission: READWRITE
    - description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset2
      permission: READ

gcp.bigQueryDatasets[].cascadingDelete

When set to true will delete the dataset, when the application resource is deleted. NB: If no tables exist in the bigquery dataset, it will delete the dataset even if this value is set/defaulted to false. Default value is false.

Type: boolean
Required: false

Example
spec:
  gcp:
    bigQueryDatasets:
    - cascadingDelete: true
      description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset1
      permission: READWRITE
    - description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset2
      permission: READ

gcp.bigQueryDatasets[].description

Human-readable description of what this BigQuery dataset contains, or is used for. Will be visible in the GCP Console.

Type: string
Required: false

Example
spec:
  gcp:
    bigQueryDatasets:
    - cascadingDelete: true
      description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset1
      permission: READWRITE
    - description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset2
      permission: READ

gcp.bigQueryDatasets[].name

Name of the BigQuery Dataset. The canonical name of the dataset will be <TEAM_PROJECT_ID>:<NAME>.

Type: string
Required: true
Pattern: ^[a-z0-9][a-z0-9_]+$

Example
spec:
  gcp:
    bigQueryDatasets:
    - cascadingDelete: true
      description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset1
      permission: READWRITE
    - description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset2
      permission: READ

gcp.bigQueryDatasets[].permission

Permission level given to application.

Type: enum
Required: true
Allowed values: READ, READWRITE

Example
spec:
  gcp:
    bigQueryDatasets:
    - cascadingDelete: true
      description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset1
      permission: READWRITE
    - description: Contains big data, supporting big queries, for use in big ideas.
      name: my_bigquery_dataset2
      permission: READ

gcp.buckets

Provision cloud storage buckets and connect them to your application.

Relevant information:

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30

gcp.buckets[].cascadingDelete

Allows deletion of bucket. Set to true if you want to delete the bucket.

Type: boolean
Required: false

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30

gcp.buckets[].lifecycleCondition

Conditions for the bucket to use when selecting objects to delete in cleanup.

Relevant information:

Type: object
Required: false

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30
gcp.buckets[].lifecycleCondition.age

Condition is satisfied when the object reaches the specified age in days. These will be deleted.

Type: integer
Required: false

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30
gcp.buckets[].lifecycleCondition.createdBefore

Condition is satisfied when the object is created before midnight on the specified date. These will be deleted.

Type: string
Required: false

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30
gcp.buckets[].lifecycleCondition.numNewerVersions

Condition is satisfied when the object has the specified number of newer versions. The older versions will be deleted.

Type: integer
Required: false

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30
gcp.buckets[].lifecycleCondition.withState

Condition is satisfied when the object has the specified state.

Type: enum
Required: false
Allowed values: (empty string), ANY, ARCHIVED, LIVE

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30

gcp.buckets[].name

The name of the bucket

Type: string
Required: true

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30

gcp.buckets[].retentionPeriodDays

The number of days to hold objects in the bucket before it is allowed to delete them.

Type: integer
Required: false
Value range: 1-36500

Example
spec:
  gcp:
    buckets:
    - cascadingDelete: true
      lifecycleCondition:
        age: 10
        createdBefore: "2020-01-01"
        numNewerVersions: 2
        withState: ARCHIVED
      name: my-cloud-storage-bucket
      retentionPeriodDays: 30

gcp.permissions

List of additional permissions that should be granted to your application for accessing external GCP resources that have not been provisioned through NAIS.

Relevant information:

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    permissions:
    - resource:
        apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
        kind: Project
        name: myteam-dev-ab23
      role: roles/cloudsql.client

gcp.permissions[].resource

IAM resource to bind the role to.

Type: object
Required: true

Example
spec:
  gcp:
    permissions:
    - resource:
        apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
        kind: Project
        name: myteam-dev-ab23
      role: roles/cloudsql.client
gcp.permissions[].resource.apiVersion

Kubernetes APIVersion.

Type: string
Required: true

Example
spec:
  gcp:
    permissions:
    - resource:
        apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
        kind: Project
        name: myteam-dev-ab23
      role: roles/cloudsql.client
gcp.permissions[].resource.kind

Kubernetes Kind.

Type: string
Required: true

Example
spec:
  gcp:
    permissions:
    - resource:
        apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
        kind: Project
        name: myteam-dev-ab23
      role: roles/cloudsql.client
gcp.permissions[].resource.name

Kubernetes Name.

Type: string
Required: false

Example
spec:
  gcp:
    permissions:
    - resource:
        apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
        kind: Project
        name: myteam-dev-ab23
      role: roles/cloudsql.client

gcp.permissions[].role

Name of the GCP role to bind the resource to.

Type: string
Required: true

Example
spec:
  gcp:
    permissions:
    - resource:
        apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
        kind: Project
        name: myteam-dev-ab23
      role: roles/cloudsql.client

gcp.sqlInstances

Provision database instances and connect them to your application.

Relevant information:

Type: array
Required: false
Availability: GCP

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].autoBackupHour

If specified, run automatic backups of the SQL database at the given hour. Note that this will backup the whole SQL instance, and not separate databases. Restores are done using the Google Cloud Console.

Type: integer
Required: false
Value range: 0-23

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].cascadingDelete

Remove the entire Postgres server including all data when the Kubernetes resource is deleted. THIS IS A DESTRUCTIVE OPERATION! Set cascading delete only when you want to remove data forever.

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].collation

Sort order for ORDER BY ... clauses.

Type: string
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].databases

List of databases that should be created on this Postgres server.

Type: array
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12
gcp.sqlInstances[].databases[].envVarPrefix

Prefix to add to environment variables made available for database connection.

Type: string
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12
gcp.sqlInstances[].databases[].name

Database name.

Type: string
Required: true

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12
gcp.sqlInstances[].databases[].users

The users created to allow database access.

Type: array
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12
gcp.sqlInstances[].databases[].users[].name

User name.

Type: string
Required: true
Pattern: ^[_a-zA-Z][_a-zA-Z0-9]+$

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].diskAutoresize

When set to true, GCP will automatically increase storage by XXX for the database when disk usage is above the high water mark.

Relevant information:

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].diskSize

How much hard drive space to allocate for the SQL server, in gigabytes.

Type: integer
Required: false
Minimum value: 10

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].diskType

Disk type to use for storage in the database.

Type: enum
Required: false
Allowed values: HDD, SSD

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].highAvailability

When set to true this will set up standby database for failover.

Type: boolean
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].maintenance

Desired maintenance window for database updates.

Type: object
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12
gcp.sqlInstances[].maintenance.day

Type: integer
Required: false
Value range: 1-7

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12
gcp.sqlInstances[].maintenance.hour

Type: integer
Required: false
Value range: 0-23

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].name

The name of the instance, if omitted the database name will be used.

Type: string
Required: false

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].tier

Server tier, i.e. how much CPU and memory allocated. Available tiers can be retrieved on the command line by running gcloud sql tiers list.

Type: string
Required: false
Pattern: db-.+

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

gcp.sqlInstances[].type

PostgreSQL version.

Type: enum
Required: true
Allowed values: POSTGRES_11, POSTGRES_12

Example
spec:
  gcp:
    sqlInstances:
    - autoBackupHour: 1
      cascadingDelete: true
      collation: nb_NO.UTF8
      databases:
      - envVarPrefix: DB
        name: mydatabase
        users:
        - name: extra_user
      diskAutoresize: true
      diskSize: 30
      diskType: SSD
      highAvailability: true
      maintenance:
        day: 1
        hour: 4
      name: myinstance
      tier: db-f1-micro
      type: POSTGRES_12

image

Your Naisjob's Docker image location and tag.

Type: string
Required: true

Example
spec:
  image: navikt/testapp:69.0.0

kafka

Enable Aiven Kafka for your Naisjob.

Type: object
Required: false

Example
spec:
  kafka:
    pool: nav-dev

kafka.pool

Configures your application to access an Aiven Kafka cluster.

Relevant information:

Type: enum
Required: true
Allowed values: nav-dev, nav-infrastructure, nav-prod

Example
spec:
  kafka:
    pool: nav-dev

liveness

Many Naisjobs running for long periods of time eventually transition to broken states, and cannot recover except by being restarted. Kubernetes provides liveness probes to detect and remedy such situations. Read more about this over at the Kubernetes probes documentation.

Type: object
Required: false

Example
spec:
  liveness:
    failureThreshold: 10
    initialDelay: 20
    path: /isalive
    periodSeconds: 5
    port: 8080
    timeout: 1

liveness.failureThreshold

When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.

Type: integer
Required: false
Default value: 3

Example
spec:
  liveness:
    failureThreshold: 10

liveness.initialDelay

Number of seconds after the container has started before startup probes are initiated.

Type: integer
Required: false

Example
spec:
  liveness:
    initialDelay: 20

liveness.path

HTTP endpoint path that signals 200 OK if the application has started successfully.

Type: string
Required: true

Example
spec:
  liveness:
    path: /isalive

liveness.periodSeconds

How often (in seconds) to perform the probe.

Type: integer
Required: false
Default value: 10

Example
spec:
  liveness:
    periodSeconds: 5

liveness.port

Port for the startup probe.

Type: integer
Required: false

Example
spec:
  liveness:
    port: 8080

liveness.timeout

Number of seconds after which the probe times out.

Type: integer
Required: false
Default value: 1

Example
spec:
  liveness:
    timeout: 1

logformat

Format of the logs from the container. Use this if the container doesn't support JSON logging and the log is in a special format that need to be parsed.

Type: enum
Required: false
Allowed values: (empty string), accesslog, accesslog_with_processing_time, accesslog_with_referer_useragent, capnslog, glog, gokit, influxdb, log15, logrus, redis, simple

Example
spec:
  logformat: accesslog_with_referer_useragent

logtransform

Extra filters for modifying log content. This can e.g. be used for setting loglevel based on http status code.

Type: enum
Required: false
Allowed values: dns_loglevel, http_loglevel

Example
spec:
  logtransform: http_loglevel

maskinporten

Configures a Maskinporten client for this Naisjob. See Maskinporten for more details.

Type: object
Required: false

Example
spec:
  maskinporten:
    enabled: true
    scopes:
      consumes:
      - name: skatt:scope.read
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid

maskinporten.enabled

If enabled, provisions and configures a Maskinporten client at DigDir.

Type: boolean
Required: true

Example
spec:
  maskinporten:
    enabled: true

maskinporten.scopes

List of scopes that your client should request access to. Ensure that the NAV organization has been granted access to the scope prior to requesting access.

Type: object
Required: false

Example
spec:
  maskinporten:
    scopes:
      consumes:
      - name: skatt:scope.read
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid

maskinporten.scopes.consumes

Type: array
Required: false

Example
spec:
  maskinporten:
    scopes:
      consumes:
      - name: skatt:scope.read
maskinporten.scopes.consumes[].name

Type: string
Required: true

Example
spec:
  maskinporten:
    scopes:
      consumes:
      - name: skatt:scope.read

maskinporten.scopes.exposes

Type: array
Required: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].allowedIntegrations

AllowedIntegrations whitelist of type of integration's allowed. Default is maskinporten

Type: array
Required: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].atMaxAge

AtMaxAge Max time in seconds for a issued access_token, default is 30

Type: integer
Required: false
Value range: 30-680

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].consumers

Consumers External consumers granted access to this scope and able to get acess_token

Type: array
Required: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].consumers[].name

Name is a describing name intended for clearity.

Type: string
Required: false

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].consumers[].orgno

Orgno is the external business (consumer) organisation number

Type: string
Required: true
Pattern: ^\d{9}$

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].enabled

Enabled sets scope availible for use and consumer can be granted access

Type: boolean
Required: true

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].name

Name is the actual subscope, build: scope := prefix:

Type: string
Required: true
Pattern: ^([a-zæøå0-9]+\/?)+(\:[a-zæøå0-9]+)*[a-zæøå0-9]+(\.[a-zæøå0-9]+)*$

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid
maskinporten.scopes.exposes[].product

Product is the product development area an application belongs to. This will be included in the final registered scope

Type: string
Required: true
Pattern: ^[a-z0-9]+$

Example
spec:
  maskinporten:
    scopes:
      exposes:
      - allowedIntegrations:
        - maskinporten
        consumers:
        - name: KST
          orgno: "123456789"
        enabled: true
        name: scope.read
        product: arbeid

preStopHookPath

A HTTP GET will be issued to this endpoint at least once before the pod is terminated.

Relevant information:

Type: string
Required: false

Example
spec:
  preStopHookPath: /internal/stop

readiness

Sometimes, Naisjobs are temporarily unable to serve traffic. For example, an Naisjob might need to load large data or configuration files during startup, or depend on external services after startup. In such cases, you don't want to kill the Naisjob, but you don’t want to send it requests either. Kubernetes provides readiness probes to detect and mitigate these situations. A pod with containers reporting that they are not ready does not receive traffic through Kubernetes Services. Read more about this over at the Kubernetes readiness documentation.

Type: object
Required: false

Example
spec:
  readiness:
    failureThreshold: 10
    initialDelay: 20
    path: /isready
    periodSeconds: 5
    port: 8080
    timeout: 1

readiness.failureThreshold

When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.

Type: integer
Required: false

Example
spec:
  readiness:
    failureThreshold: 10

readiness.initialDelay

Number of seconds after the container has started before startup probes are initiated.

Type: integer
Required: false

Example
spec:
  readiness:
    initialDelay: 20

readiness.path

HTTP endpoint path that signals 200 OK if the application has started successfully.

Type: string
Required: true

Example
spec:
  readiness:
    path: /isready

readiness.periodSeconds

How often (in seconds) to perform the probe.

Type: integer
Required: false

Example
spec:
  readiness:
    periodSeconds: 5

readiness.port

Port for the startup probe.

Type: integer
Required: false

Example
spec:
  readiness:
    port: 8080

readiness.timeout

Number of seconds after which the probe times out.

Type: integer
Required: false

Example
spec:
  readiness:
    timeout: 1

resources

When Containers have resource requests specified, the Kubernetes scheduler can make better decisions about which nodes to place pods on.

Type: object
Required: false

Example
spec:
  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 200m
      memory: 256Mi

resources.limits

Limit defines the maximum amount of resources a container can use before getting evicted.

Type: object
Required: false

Example
spec:
  resources:
    limits:
      cpu: 500m
      memory: 512Mi

resources.limits.cpu

Type: string
Required: false
Default value: 500m
Pattern: ^\d+m?$

Example
spec:
  resources:
    limits:
      cpu: 500m

resources.limits.memory

Type: string
Required: false
Default value: 512Mi
Pattern: ^\d+[KMG]i$

Example
spec:
  resources:
    limits:
      memory: 512Mi

resources.requests

Request defines the amount of resources a container is allocated on startup.

Type: object
Required: false

Example
spec:
  resources:
    requests:
      cpu: 200m
      memory: 256Mi

resources.requests.cpu

Type: string
Required: false
Default value: 200m
Pattern: ^\d+m?$

Example
spec:
  resources:
    requests:
      cpu: 200m

resources.requests.memory

Type: string
Required: false
Default value: 256Mi
Pattern: ^\d+[KMG]i$

Example
spec:
  resources:
    requests:
      memory: 256Mi

schedule

The Cron schedule for running the Naisjob. If not specified, the Naisjob will be run as a one-shot Job.

Type: string
Required: false

Example
spec:
  schedule: '*/15 0 0 0 0'

secureLogs

Whether or not to enable a sidecar container for secure logging.

Type: object
Required: false

Example
spec:
  secureLogs:
    enabled: true

secureLogs.enabled

Whether to enable a sidecar container for secure logging. If enabled, a volume is mounted in the pods where secure logs can be saved.

Type: boolean
Required: true
Default value: false

Example
spec:
  secureLogs:
    enabled: true

skipCaBundle

Whether to skip injection of NAV certificate authority bundle or not. Defaults to false.

Type: boolean
Required: false

Example
spec:
  skipCaBundle: true

startup

Kubernetes uses startup probes to know when a container Naisjob has started. If such a probe is configured, it disables liveness and readiness checks until it succeeds, making sure those probes don't interfere with the Naisjob startup. This can be used to adopt liveness checks on slow starting containers, avoiding them getting killed by Kubernetes before they are up and running.

Type: object
Required: false

Example
spec:
  startup:
    failureThreshold: 10
    initialDelay: 20
    path: /started
    periodSeconds: 5
    port: 8080
    timeout: 1

startup.failureThreshold

When a Pod starts, and the probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of a startup probe means restarting the Pod.

Type: integer
Required: false

Example
spec:
  startup:
    failureThreshold: 10

startup.initialDelay

Number of seconds after the container has started before startup probes are initiated.

Type: integer
Required: false

Example
spec:
  startup:
    initialDelay: 20

startup.path

HTTP endpoint path that signals 200 OK if the application has started successfully.

Type: string
Required: true

Example
spec:
  startup:
    path: /started

startup.periodSeconds

How often (in seconds) to perform the probe.

Type: integer
Required: false

Example
spec:
  startup:
    periodSeconds: 5

startup.port

Port for the startup probe.

Type: integer
Required: false

Example
spec:
  startup:
    port: 8080

startup.timeout

Number of seconds after which the probe times out.

Type: integer
Required: false

Example
spec:
  startup:
    timeout: 1

successfulJobsHistoryLimit

Specify how many completed Jobs should be kept.

Type: integer
Required: false
Default value: 3

Example
spec:
  successfulJobsHistoryLimit: 2

ttlSecondsAfterFinished

Specify the number of seconds to wait before removing the Job after it has finished (either Completed or Failed). If the field is unset, this Job won't be cleaned up by the TTL controller after it finishes.

Type: integer
Required: false
Availability: on-premises

Example
spec:
  ttlSecondsAfterFinished: 60

vault

Provides secrets management, identity-based access, and encrypting Naisjob data for auditing of secrets for Naisjobs, systems, and users.

Relevant information:

Type: object
Required: false
Availability: on-premises

Example
spec:
  vault:
    enabled: true
    paths:
    - format: env
      kvPath: /kv/preprod/fss/application/namespace
      mountPath: /var/run/secrets/nais.io/vault
    sidecar: true

vault.enabled

If set to true, fetch secrets from Vault and inject into the pods.

Type: boolean
Required: false

Example
spec:
  vault:
    enabled: true

vault.paths

List of secret paths to be read from Vault and injected into the pod's filesystem. Overriding the paths array is optional, and will give you fine-grained control over which Vault paths that will be mounted on the file system. By default, the list will contain an entry with kvPath: /kv/<environment>/<zone>/<application>/<namespace> mountPath: /var/run/secrets/nais.io/vault that will always be attempted to be mounted.

Type: array
Required: false

Example
spec:
  vault:
    paths:
    - format: env
      kvPath: /kv/preprod/fss/application/namespace
      mountPath: /var/run/secrets/nais.io/vault

vault.paths[].format

Format of the secret that should be processed.

Type: enum
Required: false
Allowed values: (empty string), env, flatten, json, properties, yaml

Example
spec:
  vault:
    paths:
    - format: env
      kvPath: /kv/preprod/fss/application/namespace
      mountPath: /var/run/secrets/nais.io/vault

vault.paths[].kvPath

Path to Vault key/value store that should be mounted into the file system.

Type: string
Required: true

Example
spec:
  vault:
    paths:
    - format: env
      kvPath: /kv/preprod/fss/application/namespace
      mountPath: /var/run/secrets/nais.io/vault

vault.paths[].mountPath

File system path that the secret will be mounted into.

Type: string
Required: true

Example
spec:
  vault:
    paths:
    - format: env
      kvPath: /kv/preprod/fss/application/namespace
      mountPath: /var/run/secrets/nais.io/vault

vault.sidecar

If enabled, the sidecar will automatically refresh the token's Time-To-Live before it expires.

Type: boolean
Required: false

Example
spec:
  vault:
    sidecar: true

webproxy

Inject on-premises web proxy configuration into the Naisjob pod. Most Linux Naisjobs should auto-detect these settings from the $HTTP_PROXY, $HTTPS_PROXY and $NO_PROXY environment variables (and their lowercase counterparts). Java Naisjobs can start the JVM using parameters from the $JAVA_PROXY_OPTIONS environment variable.

Type: boolean
Required: false
Availability: on-premises

Example
spec:
  webproxy: true