Version: 1.1

API Reference

littlehorse.io/v1

Resource Types:

LHCanaryAggregator
LHCanaryMetronome
LHCluster
LHConnector
LHDashboard
LHKafkaConnector
LHKafka
LHKafkaTopic
LHKafkaUser
LHKeycloakAuthenticationFlow
LHKeycloakClient
LHKeycloakClientScope
LHKeycloakOIDCProvider
LHKeycloakRealm
LHKeycloakRole
LHKeycloak
LHKeycloakTheme
LHKeycloakUser
LHOperator
LHPrincipal
LHQuota
LHTenant
LHUserTasksBridgeBackend
LHUserTasksBridgeConsole
LHUserTasksBridgeOIDCProvider

LHCanaryAggregator

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHCanaryAggregator	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHCanaryAggregator.spec

^{^{↩ Parent}}

Name	Type	Description	Required
image	string	The Docker Image to use	true
imagePullPolicy	enum	Image Pull Policy for the Canary Image Enum: Always, IfNotPresent, Never	true
kafka	object	Configures access to the Kafka cluster	true
storage	object	Configures storage for the LHCanary Statefulset	true
additionalConfigs	map[string]string	Configurations to pass to the LHCanaryAggregator.	false
defaultLabels	map[string]string	Labels to put on all created resources	false
logLevel	enum	Log Level for the aggregator Enum: DEBUG, INFO, TRACE, WARN	false
podMonitor	object	Configures `PodMonitor` resources for the Aggregator	false
replicas	integer	Number of replicas for the LH Canary Statefulset Minimum: 1	false

LHCanaryAggregator.spec.kafka

^{^{↩ Parent}}

Configures access to the Kafka cluster

Name	Type	Description	Required
lhKafkaRef	object	Points to an LHKafka Cluster	false
partitions	integer	Number of partitions to use for the Canary's internal Kafka topics Minimum: 1	false
replicationFactor	integer	Replication factor for the Canary Kafka Topics Minimum: 0	false

Name

Type

Description

Required

lhKafkaRef

object

Points to an LHKafka Cluster

false

partitions

integer

Number of partitions to use for the Canary's internal Kafka topics

Minimum: 1

false

replicationFactor

integer

Replication factor for the Canary Kafka Topics

Minimum: 0

false

LHCanaryAggregator.spec.kafka.lhKafkaRef

^{^{↩ Parent}}

Points to an LHKafka Cluster

Name	Type	Description	Required
clusterWideQuotas	object	Quotas for the Canary. Includes Metronomes as well as the Aggregator since both share the same credentials.	true
clusterName	string	The name of the `LHKaka` resource that the Aggregator connects to	false

LHCanaryAggregator.spec.kafka.lhKafkaRef.clusterWideQuotas

^{^{↩ Parent}}

Quotas for the Canary. Includes Metronomes as well as the Aggregator since both share the same credentials.

Name	Type	Description	Required
consumerThroughputPerSecond	int or string	The throughput in bytes per second that may be consumed by this Kafka principal	true
producerThroughputPerSecond	int or string	The throughput in bytes per second that may be produced by this Kafka principal	true

LHCanaryAggregator.spec.storage

^{^{↩ Parent}}

Configures storage for the LHCanary Statefulset

Name	Type	Description	Required
storageClassName	string	The name of the storageclass with which to provision storage for the server	true
volumeSize	int or string	The size of the persistent volume.	true

LHCanaryAggregator.spec.podMonitor

^{^{↩ Parent}}

Configures PodMonitor resources for the Aggregator

Name	Type	Description	Required
metricRelabelings	[]object	Relabelings for the metrics exposed by the canary	false
podMonitorLabels	map[string]string	Labels to add to the generated `PodMonitor` resources	false

LHCanaryAggregator.spec.podMonitor.metricRelabelings[index]

^{^{↩ Parent}}

Name	Type	Required
action	string	false
modulus	integer	false
regex	string	false
replacement	string	false
separator	string	false
sourceLabels	[]string	false
targetLabel	string	false

LHCanaryAggregator.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHCanaryAggregator.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHCanaryMetronome

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHCanaryMetronome	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHCanaryMetronome.spec

^{^{↩ Parent}}

Name	Type	Description	Required
aggregatorRef	object	Specifies the LHCanaryAggregator for this Metronome	true
lhCluster	object	Specifies the LittleHorse Cluster to monitor	true
replicas	integer	Number of metronome replicas to deploy	true
storage	object	Storage Configuration for the Metronome	true
additionalConfigs	map[string]string	Configurations to pass to the LHCanaryMetronome.	false
defaultLabels	map[string]string	Labels to put on all created resources	false
image	string	The docker image for the LH Canary Default: ghcr.io/littlehorse-enterprises/littlehorse/lh-canary:master	false
imagePullPolicy	enum	ImagePullPolicy for the LH Canary Enum: Always, IfNotPresent, Never	false
logLevel	enum	Log Level for the metronome Enum: DEBUG, INFO, TRACE, WARN	false

LHCanaryMetronome.spec.aggregatorRef

^{^{↩ Parent}}

Specifies the LHCanaryAggregator for this Metronome

Name	Type	Description	Required
name	string	Name of the LHCanaryAggregator that should aggregate beats from this Metronome.	false

LHCanaryMetronome.spec.lhCluster

^{^{↩ Parent}}

Specifies the LittleHorse Cluster to monitor

Name	Type	Description	Required
externalClusterRef	object	Specifies a LittleHorse Cluster not managed by the same Operator as this Metronome	false

LHCanaryMetronome.spec.lhCluster.externalClusterRef

^{^{↩ Parent}}

Specifies a LittleHorse Cluster not managed by the same Operator as this Metronome

Name	Type	Description	Required
apiHost	string	The API Host of the LH Cluster to monitor	true
apiPort	integer	The API Port of the LH Cluster to monitor	true
dataplaneId	string	Specifies a LittleHorse Dataplane id to match prometheus metrics	true
serverId	string	Specifies a LittleHorse Cluster id to match prometheus metrics	true
listenerName	string	The Listener Name to connect to	false
oauth	object	Configures OAuth authentication with the LittleHorse server	false
protocol	enum	The protocol of the listener either TLS or PLAINTEXT. Defaults to PLAINTEXT. If oauth is present it defaults to TLS Enum: PLAINTEXT, TLS	false
tenantId	string	The Tenant to use Default: default	false

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth

^{^{↩ Parent}}

Configures OAuth authentication with the LittleHorse server

Name	Type	Description	Required
accessTokenUrl	string	URL of the OIDC provider access token endpoint	true
credentials	object	Configuration of the ClientId and ClientSecret for the OAuth client	true

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth.credentials

^{^{↩ Parent}}

Configuration of the ClientId and ClientSecret for the OAuth client

Name	Type	Description	Required
secretRef	object	Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail	true

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth.credentials.secretRef

^{^{↩ Parent}}

Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail

Name	Type	Description	Required
name	string		true

LHCanaryMetronome.spec.storage

^{^{↩ Parent}}

Storage Configuration for the Metronome

Name	Type	Description	Required
storageClassName	string	The name of the storageclass with which to provision storage for the server	true
volumeSize	int or string	The size of the persistent volume.	true

LHCanaryMetronome.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHCanaryMetronome.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHCluster

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHCluster	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHCluster.spec

^{^{↩ Parent}}

Name	Type	Description	Required
kafka	object	Validations: oldSelf == null \|\| self.clusterPartitions == oldSelf.clusterPartitions: Cannot change number of kafka partitions. (has(self.strimziClusterRef) ? 1 : 0) + (has(self.externalClusterRef) ? 1 : 0) + (has(self.lhKafkaRef) ? 1 : 0) == 1 : Only one of strimziClusterRef, externalClusterRef, or lhKafkaRef must be set. oldSelf == null \|\| (has(oldSelf.strimziClusterRef) == has(self.strimziClusterRef) && has(oldSelf.externalClusterRef) == has(self.externalClusterRef) && has(oldSelf.lhKafkaRef) == has(self.lhKafkaRef)) : Cannot change kafka cluster type after initial creation.	true
server	object		true
dashboard	object	Specifies to create Dashboard resources for the cluster	false
defaultLabels	map[string]string		false
internalComms	object	Configuration for internal communication (server to server and server to dashboard)	false
podMonitor	object		false

LHCluster.spec.kafka

^{^{↩ Parent}}

Name	Type	Description	Required
clusterPartitions	integer		true
externalClusterRef	object		false
lhKafkaRef	object		false
replicationFactor	integer	Default: 3	false
strimziClusterRef	object		false

LHCluster.spec.kafka.externalClusterRef

^{^{↩ Parent}}

Name	Type	Required
bootstrapServers	string	true
securityProtocol	string	true
createTopics	boolean	false
kafkaKeyStore	object	false
kafkaTrustStore	object	false
saslJaasConfig	object	false
saslMechanism	string	false

LHCluster.spec.kafka.externalClusterRef.kafkaKeyStore

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHCluster.spec.kafka.externalClusterRef.kafkaTrustStore

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHCluster.spec.kafka.externalClusterRef.saslJaasConfig

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHCluster.spec.kafka.lhKafkaRef

^{^{↩ Parent}}

Name	Type	Description	Required
clusterName	string		true
clusterWideQuotas	object		true
deleteKafkaTopics	boolean	Delete Kafka Topics when the LHCluster is deleted. If false, the topics will be left in place.	false

LHCluster.spec.kafka.lhKafkaRef.clusterWideQuotas

^{^{↩ Parent}}

Name	Type	Description	Required
consumerThroughputPerSecond	int or string	The throughput in bytes per second that may be consumed by this Kafka principal	true
producerThroughputPerSecond	int or string	The throughput in bytes per second that may be produced by this Kafka principal	true

LHCluster.spec.kafka.strimziClusterRef

^{^{↩ Parent}}

Name	Type	Description	Required
clusterName	string		true
createTopics	boolean		true
listener	object		true
deleteKafkaTopics	boolean	Delete Kafka Topics when the LHCluster is deleted. If false, the topics will be left in place.	false
quotas	object		false

LHCluster.spec.kafka.strimziClusterRef.listener

^{^{↩ Parent}}

Name	Type	Required
port	integer	true
authentication	string	false
tls	boolean	false

LHCluster.spec.kafka.strimziClusterRef.quotas

^{^{↩ Parent}}

Name	Type	Required
consumerByteRate	integer	false
controllerMutationRate	number	false
producerByteRate	integer	false
requestPercentage	integer	false

LHCluster.spec.server

^{^{↩ Parent}}

Name	Type	Description	Required
replicas	integer	Desired number of LH Server pods Minimum: 1	true
storage	object	Specification for persistent storage used by the server Validations: oldSelf == null \|\| !quantity(string(self.volumeSize)) .isLessThan(quantity(string(oldSelf.volumeSize))) : Cannot decrease volume size.	true
authentication	object	Determines how the LH Servers will determine Principal identity	false
compute	object	Specifies the compute resources allocated to the Server pods	false
coreStreamsCommitIntervalMs	integer	Sets `commit.interval.ms` for the Core topology.	false
experimentalConfigOverride	map[string]string	EXPERIMENTAL: specific configurations to override on the LH Server. Only applies to configs that are constant across all server instances.	false
hotStandbyReplicas	integer	The number of Kafka Streams standby replicas	false
image	string	Image to use for the LH Server	false
imagePullPolicy	enum	Image Pull Policy for LH Server Pods Enum: Always, IfNotPresent, Never	false
jvmArgs	[]string	Specifies jvm arguments to use on startup. Example: ["-XX:+HeapDumpOnOutOfMemoryError", "-XX:HeapDumpPath=/path/to/file", "-Xms2048m", "-Xmx3072m"] Default: []	false
lingerMs	integer	Desired value for `linger.ms` on the Command Producer.	false
listeners	[]object	Listeners to expose on the LH Server for use by clients of the LHCluster	false
logConfigMapKeyRef	object	ConfigMap key reference which contains the log4j2.properties.	false
logLevel	enum	Log Level for the LH Server Enum: DEBUG, INFO, TRACE, WARN	false
nodeSelector	map[string]string	Node Selector for LH Server pods.	false
podAnnotations	map[string]string	Labels to put on LH Server Pods	false
podLabels	map[string]string	Annotations to put on LH Server Pods	false
priorityClassName	string	Priority Class for LH Server pods.	false
rackAwareness	object	Specifies rack awareness for the LH Servers	false
serviceAnnotations	map[string]string	Annotations to put on LH Server Services	false
serviceLabels	map[string]string	Labels to put on LH Server Services	false
sessionTimeoutMs	integer	Session Timeout for the LH Server Kafka Streams topology. Default: 45000 Minimum: 6	false
streamsMetricsLevel	enum	Level of Kafka Streams metrics to collect. Setting to DEBUG or TRACE impacts performance. Enum: DEBUG, INFO, TRACE, WARN	false
tolerations	[]object	Tolerations for LH Server pods.	false
version	string	Version of the LH Server to deploy	false

LHCluster.spec.server.storage

^{^{↩ Parent}}

Specification for persistent storage used by the server

Name	Type	Description	Required
storageClassName	string	The name of the storageclass with which to provision storage.	true
volumeSize	int or string	The size of the persistent volume to provision.	true
throughputHint	int or string	A hint to the Operator which suggests the total storage bandwidth available to each Pod (read + write). Used to optimize RocksDB configuration and avoid noisy neighbors. This is a best-effort limit on throughput which will be respected in most cases but is not guaranteed.	false

LHCluster.spec.server.authentication

^{^{↩ Parent}}

Determines how the LH Servers will determine Principal identity

Name	Type	Description	Required
mtls	object		false
oauth	object		false

LHCluster.spec.server.authentication.mtls

^{^{↩ Parent}}

Name	Type	Description	Required
clientCaCert	object		true

LHCluster.spec.server.authentication.mtls.clientCaCert

^{^{↩ Parent}}

Name	Type	Description	Required
secretRef	object		true

LHCluster.spec.server.authentication.mtls.clientCaCert.secretRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHCluster.spec.server.authentication.oauth

^{^{↩ Parent}}

Name	Type	Description	Required
credentials	object		true
introspectionEndpointUrl	string		true

LHCluster.spec.server.authentication.oauth.credentials

^{^{↩ Parent}}

Name	Type	Description	Required
secretRef	object		true

LHCluster.spec.server.authentication.oauth.credentials.secretRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHCluster.spec.server.compute

^{^{↩ Parent}}

Specifies the compute resources allocated to the Server pods

Name	Type	Description	Required
burstCapacity	object		false
cpu	int or string	The amount of CPU to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false
memory	int or string	The amount of RAM to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false

LHCluster.spec.server.compute.burstCapacity

^{^{↩ Parent}}

Name	Type	Description	Required
cpu	int or string	Allows setting a limit to CPU higher than the requests. Recommended to also set priority class on the Pods if using this option.	false
memory	int or string	Allows setting a limit to memory higher than the requests. Use with caution as Kubernetes does not allow reclaiming memory from a Pod after a spike. Recommended to also set priority class on the Pods if using this option.	false

LHCluster.spec.server.listeners[index]

^{^{↩ Parent}}

Name	Type	Required
name	string	true
port	integer	true
advertisedListeners	object	false
authentication	object	false
infrastructure	object	false
tls	object	false

LHCluster.spec.server.listeners[index].advertisedListeners

^{^{↩ Parent}}

Name	Type	Required
bootstrap	object	false
serverHostSuffix	string	false
servers	[]object	false

LHCluster.spec.server.listeners[index].advertisedListeners.bootstrap

^{^{↩ Parent}}

Name	Type	Description	Required
host	string		true

LHCluster.spec.server.listeners[index].advertisedListeners.servers[index]

^{^{↩ Parent}}

Name	Type	Description	Required
host	string		true
port	integer		true

LHCluster.spec.server.listeners[index].authentication

^{^{↩ Parent}}

Name	Type	Description	Required
type	enum	Enum: MTLS, NONE, OAUTH	true

LHCluster.spec.server.listeners[index].infrastructure

^{^{↩ Parent}}

Name	Type	Description	Required
ingress	object	Specifies to create Ingress resources for the listener.	false
tlsRoute	object	Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.	false

LHCluster.spec.server.listeners[index].infrastructure.ingress

^{^{↩ Parent}}

Specifies to create Ingress resources for the listener.

Name	Type	Description	Required
ingressClassName	string		true
ingressAnnotations	map[string]string		false

LHCluster.spec.server.listeners[index].infrastructure.tlsRoute

^{^{↩ Parent}}

Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.

Name	Type	Description	Required
advertisedPort	integer	The advertised port. May differ from Gateway port depending on load balancer configuration.	true
gatewayRef	object	Specifies the Gateway to create routes for.	true
tlsRouteAnnotations	map[string]string	Optional additional annotations to apply to the generated TLSRoutes.	false
tlsRouteLabels	map[string]string	Optional additional labels to apply to the generated TLSRoutes.	false

LHCluster.spec.server.listeners[index].infrastructure.tlsRoute.gatewayRef

^{^{↩ Parent}}

Specifies the Gateway to create routes for.

Name	Type	Description	Required
name	string	The name of the Gateway.	true
sectionName	string	The sectionName, usually a port name, of the referenced Gateway to attach to.	true
namespace	string	The namespace of the Gateway to attach to. Defaults to current namespace.	false

LHCluster.spec.server.listeners[index].tls

^{^{↩ Parent}}

Name	Type	Description	Required
issuerRef	object		false
secretRef	object		false

LHCluster.spec.server.listeners[index].tls.issuerRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string	Name of the CertManager Issuer or ClusterIssuer	true
kind	string	Kind of the CertManager Issuer or ClusterIssuer	false

LHCluster.spec.server.listeners[index].tls.secretRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHCluster.spec.server.logConfigMapKeyRef

^{^{↩ Parent}}

ConfigMap key reference which contains the log4j2.properties.

Name	Type	Description	Required
key	string	Key in the ConfigMap.	false
name	string	Name of the ConfigMap.	false

LHCluster.spec.server.rackAwareness

^{^{↩ Parent}}

Specifies rack awareness for the LH Servers

Name	Type	Description	Required
zoneIds	[]string	List of all possible Racks. Required to avoid giving the Operator a ClusterRole.	true
zoneKey	string	The name of the label on K8s nodes which contains the Rack information	true

LHCluster.spec.server.tolerations[index]

^{^{↩ Parent}}

Name	Type	Required
effect	string	false
key	string	false
operator	string	false
tolerationSeconds	integer	false
value	string	false

LHCluster.spec.dashboard

^{^{↩ Parent}}

Specifies to create Dashboard resources for the cluster

Name	Type	Description	Required
image	string	Dashboard image for the pod. If not provided it defaults to ghcr.io/littlehorse-enterprises/littlehorse/lh-dashboard with either latest or the server version if spec.server.version is set	false
imagePullPolicy	string	Image pull policy for the dashboard container	false
infrastructure	object	Configures K8s infrastructure to allow external access to the dashboard.	false
oauth	object	Configure OAuth for users of the dashboard	false
replicas	integer	Number of dashboard pod replicas. Defaults to 1 Minimum: 1	false
tls	object	Configure TLS for port that clients use to connect to the dashboard.	false

LHCluster.spec.dashboard.infrastructure

^{^{↩ Parent}}

Configures K8s infrastructure to allow external access to the dashboard.

Name	Type	Description	Required
ingress	object	Specifies to create Ingress resources for the dashboard	false
tlsRoute	object	Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.	false

LHCluster.spec.dashboard.infrastructure.ingress

^{^{↩ Parent}}

Specifies to create Ingress resources for the dashboard

Name	Type	Description	Required
hostname	string	The host to be used in the Ingress resource rule	true
ingressClassName	string	The name of the Ingress class to be used in the ingressClassName property of the Ingress resource	true
annotations	map[string]string	Annotations to put in the Ingress resource	false

LHCluster.spec.dashboard.infrastructure.tlsRoute

^{^{↩ Parent}}

Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.

Name	Type	Description	Required
gatewayRef	object	Specifies the Gateway to create routes for.	true
hostname	string	The host to be added to the TLSRoute hostnames	true
annotations	map[string]string	Optional additional annotations to apply to the generated TLSRoute.	false
labels	map[string]string	Optional additional labels to apply to the generated TLSRoute.	false

LHCluster.spec.dashboard.infrastructure.tlsRoute.gatewayRef

^{^{↩ Parent}}

Specifies the Gateway to create routes for.

Name	Type	Description	Required
name	string	The name of the Gateway.	true
sectionName	string	The sectionName, usually a port name, of the referenced Gateway to attach to.	true
namespace	string	The namespace of the Gateway to attach to. Defaults to current namespace.	false

LHCluster.spec.dashboard.oauth

^{^{↩ Parent}}

Configure OAuth for users of the dashboard

Name	Type	Description	Required
callbackUrl	string	Canonical URL of the Dashboard site. Used by the Authorization Server to return the control to the LH Dashboard.More information can be found here: https://next-auth.js.org/configuration/options#nextauth_url	true
secretRef	object	Reference to a Secret with the OAuth clientId and clientSecret. If clientId entry and clientSecret entry are not present on the `Secret`, the deployment will fail	true
serverUrl	string	OAuth server url	true
callbackUrlInternal	string	Internal URL of the Dashboard server. Used by the Dashboard Server to query itself.Should only be set when the callbackUrl cannot be reached by the dashboard server.More information can be found here: https://next-auth.js.org/configuration/options#nextauth_url_internal	false

LHCluster.spec.dashboard.oauth.secretRef

^{^{↩ Parent}}

Reference to a Secret with the OAuth clientId and clientSecret. If clientId entry and clientSecret entry are not present on the Secret, the deployment will fail

Name	Type	Description	Required
name	string		true

LHCluster.spec.dashboard.tls

^{^{↩ Parent}}

Configure TLS for port that clients use to connect to the dashboard.

Name	Type	Description	Required
secretRef	object	Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail	true

LHCluster.spec.dashboard.tls.secretRef

^{^{↩ Parent}}

Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail

Name	Type	Description	Required
name	string		true

LHCluster.spec.internalComms

^{^{↩ Parent}}

Configuration for internal communication (server to server and server to dashboard)

Name	Type	Description	Required
encryptionEnabled	boolean	Automatically generates certs and the appropriate configuration for encrypting internal communication (server to server and server to dashboard). This property shouldn't be changed once set, or else it will cause downtime. LHO_CERTMANAGER_ENABLED should be set to true for this feature to work	true
certificateDuration	string	Duration for which the internal communication certificates are valid. Default is 2160h (90 days).	false

LHCluster.spec.podMonitor

^{^{↩ Parent}}

Name	Type	Description	Required
metricRelabelings	[]object	Relabelings for the metrics exposed by the server	false
podMonitorLabels	map[string]string	Labels to add to the generated `PodMonitor` resources	false

LHCluster.spec.podMonitor.metricRelabelings[index]

^{^{↩ Parent}}

Name	Type	Required
action	string	false
modulus	integer	false
regex	string	false
replacement	string	false
separator	string	false
sourceLabels	[]string	false
targetLabel	string	false

LHCluster.status

^{^{↩ Parent}}

Name	Type	Description	Required
adminPrincipal	string		false
adminPrincipalCreated	boolean		false
clusterHealth	object		false
conditions	[]object		false
connectionHash	string		false
kafkaType	enum	Enum: EXTERNAL, LHKAFKA, STRIMZI	false
lastBounceTime	integer		false
lastBouncedPod	integer		false
observedGeneration	integer		false
partitions	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
volumeSizeInternal	int or string		false

LHCluster.status.clusterHealth

^{^{↩ Parent}}

Name	Type	Description	Required
inProgressRestorations	[]object		false
offlineTasks	integer	Number of Active Core Streams Tasks that are under restoration.	false
streamTasks	[]object	Health of each Core Topology Stream Task, ordered by partition number	false
underReplicatedCoreTasks	integer	Total number of Core Streams Tasks that don't have enough caught-up Standbys	false
warmingUpCoreTasks	integer	Number of Core Streams Tasks that are being moved to different instances	false

LHCluster.status.clusterHealth.inProgressRestorations[index]

^{^{↩ Parent}}

Name	Type	Required
currentOffset	integer	false
endOffset	integer	false
instanceId	integer	false
partition	integer	false
totalRestored	integer	false

LHCluster.status.clusterHealth.streamTasks[index]

^{^{↩ Parent}}

Name	Type	Description	Required
activeTask	object		false
standbys	[]object		false

LHCluster.status.clusterHealth.streamTasks[index].activeTask

^{^{↩ Parent}}

Name	Type	Required
instanceId	integer	false
partition	integer	false
restorationLag	integer	false

LHCluster.status.clusterHealth.streamTasks[index].standbys[index]

^{^{↩ Parent}}

Name	Type	Required
instanceId	integer	false
lag	integer	false
partition	integer	false

LHCluster.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHConnector

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHConnector	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHConnector.spec

^{^{↩ Parent}}

Name	Type	Description	Required
config	object	Configurations for this SaddleJob	true
image	string	Docker Image for this Task Connector	true
tenantRef	object	Reference to the LHTenant to connect to.	true
imagePullPolicy	enum	Image Pull Policy Enum: Always, IfNotPresent, Never Default: IfNotPresent	false
podTemplate	object	Configures the Pod template, including annotations, labels, and where it is deployed.	false
replicas	integer	Number of pods to deploy Default: 1	false
resources	object	Resource requests and limits for the deployed pods	false

LHConnector.spec.config

^{^{↩ Parent}}

Configurations for this SaddleJob

Name	Type	Description	Required
configSecret	object	A reference to a secret containing configuration properties for the connector logic.	false
fileBasedConfigs	[]object	Configurations that require mounting a file on a disk (eg. TLS certificates).	false
plainConfigs	map[string]string	App-level configurations for the connector which can be set in plaintext.	false

LHConnector.spec.config.configSecret

^{^{↩ Parent}}

A reference to a secret containing configuration properties for the connector logic.

Name	Type	Description	Required
name	string		true

LHConnector.spec.tenantRef

^{^{↩ Parent}}

Reference to the LHTenant to connect to.

Name	Type	Description	Required
lhClusterName	string	The name of the LHCluster resource to connect to	true
tenantName	string	The name of the Tenant to connect to within the specified lhCluster.	true

LHConnector.spec.podTemplate

^{^{↩ Parent}}

Configures the Pod template, including annotations, labels, and where it is deployed.

Name	Type	Description	Required
nodeLabelForRackAwareness	string	Node label for rack awareness.	false
nodeSelectorTerms	[]object	Kubernetes NodeSelectorTerm's to select nodes via labels or expressions.	false
podAnnotations	map[string]string	Annotations to put on all of the pods.	false
podLabels	map[string]string	Labels to put on all of the pods.	false
priorityClassName	string	Priority class for the pods.	false
tolerations	[]object	Node Tolerations to tolerate.	false

LHConnector.spec.podTemplate.nodeSelectorTerms[index]

^{^{↩ Parent}}

Name	Type	Description	Required
matchExpressions	[]object		false
matchFields	[]object		false

LHConnector.spec.podTemplate.nodeSelectorTerms[index].matchExpressions[index]

^{^{↩ Parent}}

Name	Type	Required
key	string	false
operator	string	false
values	[]string	false

LHConnector.spec.podTemplate.nodeSelectorTerms[index].matchFields[index]

^{^{↩ Parent}}

Name	Type	Required
key	string	false
operator	string	false
values	[]string	false

LHConnector.spec.podTemplate.tolerations[index]

^{^{↩ Parent}}

Name	Type	Required
effect	string	false
key	string	false
operator	string	false
tolerationSeconds	integer	false
value	string	false

LHConnector.spec.resources

^{^{↩ Parent}}

Resource requests and limits for the deployed pods

Name	Type	Description	Required
burstCapacity	object		false
cpu	int or string	The amount of CPU to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false
memory	int or string	The amount of RAM to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false

LHConnector.spec.resources.burstCapacity

^{^{↩ Parent}}

Name	Type	Description	Required
cpu	int or string	Allows setting a limit to CPU higher than the requests. Recommended to also set priority class on the Pods if using this option.	false
memory	int or string	Allows setting a limit to memory higher than the requests. Use with caution as Kubernetes does not allow reclaiming memory from a Pod after a spike. Recommended to also set priority class on the Pods if using this option.	false

LHConnector.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHConnector.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHDashboard

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHDashboard	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHDashboard.spec

^{^{↩ Parent}}

Name	Type	Description	Required
api	object	Configures how the dashboard talks to the LH Server.	true
image	string	The image to be used by the Dashboard.	true
replicas	integer	The number of dashboard `Pod`s to deploy. Minimum: 1	true
authentication	object	Configures authentication for users of the dashboard.	false
defaultLabels	map[string]string	Labels to place on all dependent resources of the `LHDashboard`.	false
imagePullPolicy	string	The ImagePullPolicy to be used for the Dashboard `Pod`s.	false
infrastructure	object	Configures ingress-like infrastructure to be deployed for the `LHDashboard`.	false
resources	object	Configures compute resources for the dashboard pods.	false
tls	object	Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS listener.	false

LHDashboard.spec.api

^{^{↩ Parent}}

Configures how the dashboard talks to the LH Server.

Name	Type	Description	Required
host	string		true
port	integer		true
caCert	object		false
protocol	enum	Enum: PLAINTEXT, TLS	false

LHDashboard.spec.api.caCert

^{^{↩ Parent}}

Name	Type	Description	Required
secretRef	object	Specifies a secret that should contain a ca.crt key	true

LHDashboard.spec.api.caCert.secretRef

^{^{↩ Parent}}

Specifies a secret that should contain a ca.crt key

Name	Type	Description	Required
name	string		true

LHDashboard.spec.authentication

^{^{↩ Parent}}

Configures authentication for users of the dashboard.

Name	Type	Description	Required
oauth	object		true

LHDashboard.spec.authentication.oauth

^{^{↩ Parent}}

Name	Type	Description	Required
callbackUrl	string	Canonical URL of the Dashboard site. Used by the Authorization Server to return the control to the LH Dashboard.More information can be found here: https://next-auth.js.org/configuration/options#nextauth_url	true
credentials	object		true
serverUrl	string	OAuth server url	true
callbackUrlInternal	string	Internal URL of the Dashboard server. Used by the Dashboard Server to query itself.Should only be set when the callbackUrl cannot be reached by the dashboard server.More information can be found here: https://next-auth.js.org/configuration/options#nextauth_url_internal	false

LHDashboard.spec.authentication.oauth.credentials

^{^{↩ Parent}}

Name	Type	Description	Required
secretRef	object	Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail	true

LHDashboard.spec.authentication.oauth.credentials.secretRef

^{^{↩ Parent}}

Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail

Name	Type	Description	Required
name	string		true

LHDashboard.spec.infrastructure

^{^{↩ Parent}}

Configures ingress-like infrastructure to be deployed for the LHDashboard.

Name	Type	Description	Required
ingress	object	Specifies to create Ingress resources for the dashboard	false
tlsRoute	object	Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.	false

LHDashboard.spec.infrastructure.ingress

^{^{↩ Parent}}

Specifies to create Ingress resources for the dashboard

Name	Type	Description	Required
hostname	string	The host to be used in the Ingress resource rule	true
ingressClassName	string	The name of the Ingress class to be used in the ingressClassName property of the Ingress resource	true
annotations	map[string]string	Annotations to put in the Ingress resource	false

LHDashboard.spec.infrastructure.tlsRoute

^{^{↩ Parent}}

Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.

Name	Type	Description	Required
gatewayRef	object	Specifies the Gateway to create routes for.	true
hostname	string	The host to be added to the TLSRoute hostnames	true
annotations	map[string]string	Optional additional annotations to apply to the generated TLSRoute.	false
labels	map[string]string	Optional additional labels to apply to the generated TLSRoute.	false

LHDashboard.spec.infrastructure.tlsRoute.gatewayRef

^{^{↩ Parent}}

Specifies the Gateway to create routes for.

Name	Type	Description	Required
name	string	The name of the Gateway.	true
sectionName	string	The sectionName, usually a port name, of the referenced Gateway to attach to.	true
namespace	string	The namespace of the Gateway to attach to. Defaults to current namespace.	false

LHDashboard.spec.resources

^{^{↩ Parent}}

Configures compute resources for the dashboard pods.

Name	Type	Required
claims	[]object	false
limits	map[string]int or string	false
requests	map[string]int or string	false

LHDashboard.spec.resources.claims[index]

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		false
request	string		false

LHDashboard.spec.tls

^{^{↩ Parent}}

Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS listener.

Name	Type	Description	Required
secretRef	object	Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail	true

LHDashboard.spec.tls.secretRef

^{^{↩ Parent}}

Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail

Name	Type	Description	Required
name	string		true

LHDashboard.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHDashboard.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKafkaConnector

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKafkaConnector	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKafkaConnector.spec

^{^{↩ Parent}}

Name	Type	Description	Required
className	string	The Java class that implements the connector	true
config	object	The configurations and secret mounts for this Kafka Connector	true
kafkaRef	object	The name of the LHKafka cluster that this connector connects to	true
tasksMax	integer	Maximum number of tasks for this connector. Minimum: 1	true
autoRestart	object	Allows specifying automatic restarts for failed connectors	false
desiredState	enum	The desired state of the connector. Either running, paused, or stopped Enum: paused, running, stopped	false
plugins	[]object	List of plugins required to run this connector	false
sinkTopic	string	The topic that this connector should use. Only for source connector.	false
sourceTopics	string	The topic regex that this connector should use. Only for sink connector.	false

LHKafkaConnector.spec.config

^{^{↩ Parent}}

The configurations and secret mounts for this Kafka Connector

Name	Type	Description	Required
configSecret	object	A reference to a secret containing configuration properties for the connector logic.	false
fileBasedConfigs	[]object	Configurations that require mounting a file on a disk (eg. TLS certificates).	false
plainConfigs	map[string]string	App-level configurations for the connector which can be set in plaintext.	false

LHKafkaConnector.spec.config.configSecret

^{^{↩ Parent}}

A reference to a secret containing configuration properties for the connector logic.

Name	Type	Description	Required
name	string		true

LHKafkaConnector.spec.kafkaRef

^{^{↩ Parent}}

The name of the LHKafka cluster that this connector connects to

Name	Type	Description	Required
name	string	The name of the LHKafka cluster that this connector connects to	true

LHKafkaConnector.spec.autoRestart

^{^{↩ Parent}}

Allows specifying automatic restarts for failed connectors

Name	Type	Description	Required
enabled	boolean		false
maxRestarts	integer		false

LHKafkaConnector.spec.plugins[index]

^{^{↩ Parent}}

Name	Type	Description	Required
artifacts	[]object		false
name	string		false

LHKafkaConnector.spec.plugins[index].artifacts[index]

^{^{↩ Parent}}

Name	Type	Required
jar	object	false
maven	object	false
other	object	false
tgz	object	false
zip	object	false

LHKafkaConnector.spec.plugins[index].artifacts[index].jar

^{^{↩ Parent}}

Name	Type	Required
insecure	boolean	false
sha512sum	string	false
url	string	false

LHKafkaConnector.spec.plugins[index].artifacts[index].maven

^{^{↩ Parent}}

Name	Type	Required
artifact	string	false
group	string	false
insecure	boolean	false
repository	string	false
version	string	false

LHKafkaConnector.spec.plugins[index].artifacts[index].other

^{^{↩ Parent}}

Name	Type	Required
fileName	string	false
insecure	boolean	false
sha512sum	string	false
url	string	false

LHKafkaConnector.spec.plugins[index].artifacts[index].tgz

^{^{↩ Parent}}

Name	Type	Required
insecure	boolean	false
sha512sum	string	false
url	string	false

LHKafkaConnector.spec.plugins[index].artifacts[index].zip

^{^{↩ Parent}}

Name	Type	Required
insecure	boolean	false
sha512sum	string	false
url	string	false

LHKafkaConnector.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHKafkaConnector.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKafka

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKafka	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKafka.spec

^{^{↩ Parent}}

Name	Type	Description	Required
controllers	object	Specifies the controllers for the Kafka cluster. If `brokers` is not set, then these pods are both brokers and controllers.	true
brokers	object	Specifies the brokers for the Kafka cluster. If not set, then the `controllers` are both brokers and controllers.	false
connect	object	Configures the deployment of a Kafka Connect cluster connected to this LHKafka.	false
externalAccess	object	Configures external access to the Kafka cluster from outside Kubernetes	false
kafkaConfigOverrides	map[string]string	Override certain Kafka broker configurations for experimental purposes. Use with caution.	false
kafkaVersion	string	The desired kafka version. If null (recommended), uses the newest available version	false
logCleanerThroughputLimit	int or string	IO bandwidth limit for the log cleaner threads on each Kafka pod.	false
logConfigMapKeyRef	object	ConfigMap key reference which contains the log4j2.properties.	false
podMonitor	object	Configures PodMonitor's to be deployed for this LHKafka	false
rackNodeLabel	string	The k8s node label to be used for rack awareness Validations: self == oldSelf: spec.rackNodeLabel is immutable	false

LHKafka.spec.controllers

^{^{↩ Parent}}

Specifies the controllers for the Kafka cluster. If brokers is not set, then these pods are both brokers and controllers.

Name	Type	Description	Required
replicas	integer	Validations: self == oldSelf: Changing number of controllers is not supported Minimum: 1	true
storage	object	Validations: oldSelf == null \|\| !quantity(string(self.volumeSize)) .isLessThan(quantity(string(oldSelf.volumeSize))) : Cannot decrease volume size.	true
compute	object		false
nodeSelectorTerms	[]object		false
priorityClassName	string	The priority class to use for pods of this KafkaNodePool	false
tolerations	[]object		false

LHKafka.spec.controllers.storage

^{^{↩ Parent}}

Name	Type	Description	Required
storageClassName	string	The name of the storageclass with which to provision storage.	true
volumeSize	int or string	The size of the persistent volume to provision.	true

LHKafka.spec.controllers.compute

^{^{↩ Parent}}

Name	Type	Description	Required
burstCapacity	object		false
cpu	int or string	The amount of CPU to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false
memory	int or string	The amount of RAM to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false

LHKafka.spec.controllers.compute.burstCapacity

^{^{↩ Parent}}

Name	Type	Description	Required
cpu	int or string	Allows setting a limit to CPU higher than the requests. Recommended to also set priority class on the Pods if using this option.	false
memory	int or string	Allows setting a limit to memory higher than the requests. Use with caution as Kubernetes does not allow reclaiming memory from a Pod after a spike. Recommended to also set priority class on the Pods if using this option.	false

LHKafka.spec.controllers.nodeSelectorTerms[index]

^{^{↩ Parent}}

Name	Type	Description	Required
matchExpressions	[]object		false
matchFields	[]object		false

LHKafka.spec.controllers.nodeSelectorTerms[index].matchExpressions[index]

^{^{↩ Parent}}

Name	Type	Required
key	string	false
operator	string	false
values	[]string	false

LHKafka.spec.controllers.nodeSelectorTerms[index].matchFields[index]

^{^{↩ Parent}}

Name	Type	Required
key	string	false
operator	string	false
values	[]string	false

LHKafka.spec.controllers.tolerations[index]

^{^{↩ Parent}}

Name	Type	Required
effect	string	false
key	string	false
operator	string	false
tolerationSeconds	integer	false
value	string	false

LHKafka.spec.brokers

^{^{↩ Parent}}

Specifies the brokers for the Kafka cluster. If not set, then the controllers are both brokers and controllers.

Name	Type	Description	Required
replicas	integer	Validations: self == oldSelf: Changing number of controllers is not supported Minimum: 1	true
storage	object	Validations: oldSelf == null \|\| !quantity(string(self.volumeSize)) .isLessThan(quantity(string(oldSelf.volumeSize))) : Cannot decrease volume size.	true
compute	object		false
nodeSelectorTerms	[]object		false
priorityClassName	string	The priority class to use for pods of this KafkaNodePool	false
tolerations	[]object		false

LHKafka.spec.brokers.storage

^{^{↩ Parent}}

Name	Type	Description	Required
storageClassName	string	The name of the storageclass with which to provision storage.	true
volumeSize	int or string	The size of the persistent volume to provision.	true

LHKafka.spec.brokers.compute

^{^{↩ Parent}}

Name	Type	Description	Required
burstCapacity	object		false
cpu	int or string	The amount of CPU to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false
memory	int or string	The amount of RAM to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false

LHKafka.spec.brokers.compute.burstCapacity

^{^{↩ Parent}}

Name	Type	Description	Required
cpu	int or string	Allows setting a limit to CPU higher than the requests. Recommended to also set priority class on the Pods if using this option.	false
memory	int or string	Allows setting a limit to memory higher than the requests. Use with caution as Kubernetes does not allow reclaiming memory from a Pod after a spike. Recommended to also set priority class on the Pods if using this option.	false

LHKafka.spec.brokers.nodeSelectorTerms[index]

^{^{↩ Parent}}

Name	Type	Description	Required
matchExpressions	[]object		false
matchFields	[]object		false

LHKafka.spec.brokers.nodeSelectorTerms[index].matchExpressions[index]

^{^{↩ Parent}}

Name	Type	Required
key	string	false
operator	string	false
values	[]string	false

LHKafka.spec.brokers.nodeSelectorTerms[index].matchFields[index]

^{^{↩ Parent}}

Name	Type	Required
key	string	false
operator	string	false
values	[]string	false

LHKafka.spec.brokers.tolerations[index]

^{^{↩ Parent}}

Name	Type	Required
effect	string	false
key	string	false
operator	string	false
tolerationSeconds	integer	false
value	string	false

LHKafka.spec.connect

^{^{↩ Parent}}

Configures the deployment of a Kafka Connect cluster connected to this LHKafka.

Name

Type

Description

Required

quotas

object

Quotas for the Kafka Connect cluster

true

replicas

integer

The number of Kafka Connect workers to deploy

Minimum: 1

true

compute

object

false

LHKafka.spec.connect.quotas

^{^{↩ Parent}}

Quotas for the Kafka Connect cluster

Name	Type	Description	Required
consumerThroughputPerSecond	int or string	The throughput in bytes per second that may be consumed by this Kafka principal	true
producerThroughputPerSecond	int or string	The throughput in bytes per second that may be produced by this Kafka principal	true

LHKafka.spec.connect.compute

^{^{↩ Parent}}

Name	Type	Description	Required
burstCapacity	object		false
cpu	int or string	The amount of CPU to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false
memory	int or string	The amount of RAM to assign to the resulting pods. If burstCapacity is not set, also sets limits. Influences other performance-related configurations.	false

LHKafka.spec.connect.compute.burstCapacity

^{^{↩ Parent}}

Name	Type	Description	Required
cpu	int or string	Allows setting a limit to CPU higher than the requests. Recommended to also set priority class on the Pods if using this option.	false
memory	int or string	Allows setting a limit to memory higher than the requests. Use with caution as Kubernetes does not allow reclaiming memory from a Pod after a spike. Recommended to also set priority class on the Pods if using this option.	false

LHKafka.spec.externalAccess

^{^{↩ Parent}}

Configures external access to the Kafka cluster from outside Kubernetes

Name	Type	Description	Required
advertisedListeners	object	Specifies the advertised listeners that clients will connect to	true
tls	object	Configures TLS for the external access	true
infrastructure	object	Configures K8s resources to be deployed to access the LHKafka	false

LHKafka.spec.externalAccess.advertisedListeners

^{^{↩ Parent}}

Specifies the advertised listeners that clients will connect to

Name

Type

Description

Required

wildcardDomainSuffix

string

Subdomain that all brokers will be exposed on. Must start with a '.' character.

true

advertisedPort

integer

Port that clients will use to connect to the Kafka cluster.

Default: 9092

false

LHKafka.spec.externalAccess.tls

^{^{↩ Parent}}

Configures TLS for the external access

Name	Type	Description	Required
secretRef	object	Reference to a Secret containing a TLS certificate to be used by the Kafka brokers	false

LHKafka.spec.externalAccess.tls.secretRef

^{^{↩ Parent}}

Reference to a Secret containing a TLS certificate to be used by the Kafka brokers

Name	Type	Description	Required
name	string		true

LHKafka.spec.externalAccess.infrastructure

^{^{↩ Parent}}

Configures K8s resources to be deployed to access the LHKafka

Name	Type	Description	Required
ingresses	object	Specifies Ingresses to expose LHKafka	false
tlsRoutes	object	Specifies TLSRoute's to create to access LHKafka using Gateway API	false

LHKafka.spec.externalAccess.infrastructure.ingresses

^{^{↩ Parent}}

Specifies Ingresses to expose LHKafka

Name	Type	Description	Required
ingressClassName	string	Specifies Ingress class name	true
annotations	map[string]string	Specifies Annotations as key value pair	false

LHKafka.spec.externalAccess.infrastructure.tlsRoutes

^{^{↩ Parent}}

Specifies TLSRoute's to create to access LHKafka using Gateway API

Name	Type	Description	Required
gatewayRef	object	Specifies the Gateway to create routes for.	true
annotations	map[string]string	Optional additional annotations to apply to the generated TLSRoutes.	false
labels	map[string]string	Optional additional labels to apply to the generated TLSRoutes.	false

LHKafka.spec.externalAccess.infrastructure.tlsRoutes.gatewayRef

^{^{↩ Parent}}

Specifies the Gateway to create routes for.

Name	Type	Description	Required
name	string	The name of the Gateway.	true
sectionName	string	The sectionName, usually a port name, of the referenced Gateway to attach to.	true
namespace	string	The namespace of the Gateway to attach to. Defaults to current namespace.	false

LHKafka.spec.logConfigMapKeyRef

^{^{↩ Parent}}

ConfigMap key reference which contains the log4j2.properties.

Name	Type	Description	Required
key	string	Key in the ConfigMap.	false
name	string	Name of the ConfigMap.	false

LHKafka.spec.podMonitor

^{^{↩ Parent}}

Configures PodMonitor's to be deployed for this LHKafka

Name	Type	Description	Required
metricRelabelings	[]object		false
podMonitorLabels	map[string]string		false

LHKafka.spec.podMonitor.metricRelabelings[index]

^{^{↩ Parent}}

Name	Type	Required
action	string	false
modulus	integer	false
regex	string	false
replacement	string	false
separator	string	false
sourceLabels	[]string	false
targetLabel	string	false

LHKafka.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
currentActiveBrokers	[]integer		false
internalTopicReplicationFactor	integer		false
kafkaVersion	string		false
numControllers	integer		false
observedGeneration	integer		false
ongoingRebalance	object		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
rackNodeLabel	string		false

LHKafka.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKafka.status.ongoingRebalance

^{^{↩ Parent}}

Name	Type	Required
dedicatedBrokersAfter	[]integer	false
dedicatedBrokersBefore	[]integer	false
lastRebalanceAttempt	integer	false
shouldHoldBrokerNodePool	boolean	false
shouldHoldMixedPool	boolean	false

LHKafkaTopic

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKafkaTopic	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKafkaTopic.spec

^{^{↩ Parent}}

Name

Type

Description

Required

kafka

object

Validations:

oldSelf == null || (oldSelf.lhKafkaRef.clusterName == self.lhKafkaRef.clusterName) : Cannot change kafka cluster ref after initial creation.

true

topic

object

Wrapper object that contains the topic-relevant configurations

true

LHKafkaTopic.spec.kafka

^{^{↩ Parent}}

Name	Type	Description	Required
lhKafkaRef	object	Reference of the LHKafka cluster used by LHKafkaTopicSpec. Must be in the same namespace.	true

LHKafkaTopic.spec.kafka.lhKafkaRef

^{^{↩ Parent}}

Reference of the LHKafka cluster used by LHKafkaTopicSpec. Must be in the same namespace.

Name	Type	Description	Required
clusterName	string	Name of the LHKafka cluster this topic will be created in. Must be in the same namespace.	true

LHKafkaTopic.spec.topic

^{^{↩ Parent}}

Wrapper object that contains the topic-relevant configurations

Name	Type	Description	Required
name	string	Name of the LHKafkaTopic	true
config	map[string]string	Additional configurations for the topic set in a key-value format	false
partitions	integer	Number of partitions for this topic. DISCLAIMER: We do not recommend changing the number of partitions due to how Kafka behaves after increasing/decreasing them Minimum: 1	false
replicas	integer	Number of replicas for this topic Minimum: 0	false

LHKafkaTopic.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHKafkaTopic.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKafkaUser

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKafkaUser	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKafkaUser.spec

^{^{↩ Parent}}

Name	Type	Description	Required
quotas	object	The quotas for this user.	true
acls	object	Configures the ACL's of the Kafka User.	false
aclsPrefix	string	DEPRECATED: use acls.simple.prefix instead The prefix for the ACL's that will be created for this user. Mutually exclusive with `strimziAcls`. If this is provided, then the LH Operator will create opinionated ACL's that allow the user to read/write to topics, txns, and consumer groups that start with this prefix, but not create or delete topics nor take cluster actions	false
externalAccess	object	Configures authentication for the Kafka User to access Kafka from outside the K8s cluster	false
lhKafkaClusterName	string	DEPRECATED: use lhKafkaRef instead. The name of the LHKafka cluster this user will be created in. Must be in the same namespace.	false
lhKafkaRef	object	Reference to the LHKafka in which this LHKafkaUser will be created.	false

LHKafkaUser.spec.quotas

^{^{↩ Parent}}

The quotas for this user.

Name	Type	Description	Required
consumerThroughputPerSecond	int or string	The throughput in bytes per second that may be consumed by this Kafka principal	true
producerThroughputPerSecond	int or string	The throughput in bytes per second that may be produced by this Kafka principal	true

LHKafkaUser.spec.acls

^{^{↩ Parent}}

Configures the ACL's of the Kafka User.

Name	Type	Description	Required
simple	object	Simple ACL's designed to namespace-scope a user, allowing actions to publish/consume from topics and groups within a prefix scope.	true

LHKafkaUser.spec.acls.simple

^{^{↩ Parent}}

Simple ACL's designed to namespace-scope a user, allowing actions to publish/consume from topics and groups within a prefix scope.

Name	Type	Description	Required
prefix	string	The prefix for the ACL's that will be created for this user. Mutually exclusive with `strimziAcls`. If this is provided, then the LH Operator will create opinionated ACL's that allow the user to read/write to topics, txns, and consumer groups that start with this prefix, but not create or delete topics nor take cluster actions	true
allowTopicManagement	boolean	Whether the user should be able to create and delete topics	false

LHKafkaUser.spec.externalAccess

^{^{↩ Parent}}

Configures authentication for the Kafka User to access Kafka from outside the K8s cluster

Name	Type	Description	Required
scramSha512	object	Configures the SCRAM-SHA-512 authentication for the user	true

LHKafkaUser.spec.externalAccess.scramSha512

^{^{↩ Parent}}

Configures the SCRAM-SHA-512 authentication for the user

Name	Type	Description	Required
passwordSecretRef	object	Reference to the secret containing the password for the user. If null, one will be generated with a random password, and a name matching the name of the LHKafkaUser but with the prefix 'lhku-'.	false

LHKafkaUser.spec.externalAccess.scramSha512.passwordSecretRef

^{^{↩ Parent}}

Reference to the secret containing the password for the user. If null, one will be generated with a random password, and a name matching the name of the LHKafkaUser but with the prefix 'lhku-'.

Name	Type	Description	Required
secretKeyRef	object		false

LHKafkaUser.spec.externalAccess.scramSha512.passwordSecretRef.secretKeyRef

^{^{↩ Parent}}

Name	Type	Required
key	string	false
name	string	false
optional	boolean	false

LHKafkaUser.spec.lhKafkaRef

^{^{↩ Parent}}

Reference to the LHKafka in which this LHKafkaUser will be created.

Name	Type	Description	Required
name	string	Name of the LHKafka cluster this user will be created in. Must be in the same namespace.	true

LHKafkaUser.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
lhKafkaClusterName	string		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
ready	boolean		false

LHKafkaUser.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakAuthenticationFlow

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakAuthenticationFlow	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKeycloakAuthenticationFlow.spec

^{^{↩ Parent}}

Name	Type	Description	Required
authenticationFlow	object		true
realm	object		true

LHKeycloakAuthenticationFlow.spec.authenticationFlow

^{^{↩ Parent}}

Name	Type	Description	Required
alias	string	Flow name.	true
providerId	enum	Flow type. Enum: BasicFlow, ClientFlow	true
binding	enum	Bind this flow as a realm-level flow binding. Enum: browser, clientAuthentication, directGrant, dockerAuthentication, registration, resetCredentials	false
description	string		false
executions	[]object		false

LHKeycloakAuthenticationFlow.spec.authenticationFlow.executions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
priority	integer	Execution priority inside the flow.	true
provider	enum	Execution provider. Enum: AUTH_COOKIE, IDENTITY_PROVIDER_REDIRECTOR, IDP_AUTO_LINK, IDP_DETECT_EXISTING_BROKER_USER	true
requirement	enum	Execution requirement. Supported values: ALTERNATIVE, REQUIRED, DISABLED. Enum: ALTERNATIVE, DISABLED, REQUIRED	true
config	object	Optional execution configuration.	false

LHKeycloakAuthenticationFlow.spec.authenticationFlow.executions[index].config

^{^{↩ Parent}}

Optional execution configuration.

Name	Type	Description	Required
alias	string	Configuration alias in Keycloak.	true
authenticatorReferenceMaxAge	string		false
authenticatorReferenceValue	string	Authenticator reference	false
defaultProvider	string	Default Identity Provider	false

LHKeycloakAuthenticationFlow.spec.realm

^{^{↩ Parent}}

Name

Type

Description

Required

lhKeycloakRealmRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHKeycloakAuthenticationFlow.spec.realm.lhKeycloakRealmRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakAuthenticationFlow.status

^{^{↩ Parent}}

Name	Type	Description	Required
authenticationFlow	string	Authentication flow	false
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
realmName	string	Keycloak realm name	false

LHKeycloakAuthenticationFlow.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakClient

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakClient	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKeycloakClient.spec

^{^{↩ Parent}}

Name

Type

Description

Required

client

object

Validations:

!(self.serviceAccountsEnabled == false && has(self.serviceAccountsRoles)): Service account should be enabled

true

realm

object

true

LHKeycloakClient.spec.client

^{^{↩ Parent}}

Name	Type	Description	Required
clientId	string		true
authorizationServicesEnabled	boolean		false
clientSecret	object	Customize the clientSecret. Keycloak will create a secret if empty	false
defaultClientScopes	[]string	List of client scopes assigned as default to the client	false
description	string		false
directAccessGrantsEnabled	boolean		false
enabled	boolean		false
frontchannelLogout	boolean		false
implicitFlowEnabled	boolean		false
optionalClientScopes	[]string	List of client scopes assigned as optional to the client	false
protocol	string		false
protocolMappers	[]object		false
publicClient	boolean		false
redirectUris	[]string		false
serviceAccountsEnabled	boolean		false
serviceAccountsRoles	object		false
standardFlowEnabled	boolean		false
surrogateAuthRequired	boolean		false

LHKeycloakClient.spec.client.clientSecret

^{^{↩ Parent}}

Customize the clientSecret. Keycloak will create a secret if empty

Name	Type	Description	Required
labels	map[string]string	Optional additional labels to apply to the generated Secret	false
name	string	Name of the generated Secret if not empty, otherwise it will take the name of the LHKeycloakClient	false
secretKeyRef	object	External secret to extract the clientSecret from. Keycloak will create a secret if empty	false

LHKeycloakClient.spec.client.clientSecret.secretKeyRef

^{^{↩ Parent}}

External secret to extract the clientSecret from. Keycloak will create a secret if empty

Name	Type	Description	Required
key	string	The key of the data	true
name	string	The name of the Secret	true

LHKeycloakClient.spec.client.protocolMappers[index]

^{^{↩ Parent}}

Name	Type	Required
name	string	true
protocolMapper	string	true
config	map[string]string	false
protocol	string	false

LHKeycloakClient.spec.client.serviceAccountsRoles

^{^{↩ Parent}}

Name	Type	Description	Required
clientRoles	[]object	List of roles which belongs to a specific client	false
realmRoles	[]string	List of global roles, belonging to the realm	false

LHKeycloakClient.spec.client.serviceAccountsRoles.clientRoles[index]

^{^{↩ Parent}}

Name	Type	Description	Required
clientId	string		true
roles	[]string		true

LHKeycloakClient.spec.realm

^{^{↩ Parent}}

Name

Type

Description

Required

lhKeycloakRealmRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHKeycloakClient.spec.realm.lhKeycloakRealmRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakClient.status

^{^{↩ Parent}}

Name	Type	Description	Required
clientId	string	ClientID used for OAuth authentication	false
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
realmName	string	Keycloak realm name	false
recordId	string		false
status	string	Current client state. `Enabled`: the client was created and is enabled. `Disabled`: the client was created and is disabled.	false

LHKeycloakClient.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakClientScope

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakClientScope	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKeycloakClientScope.spec

^{^{↩ Parent}}

Name	Type	Description	Required
clientScope	object		true
realm	object		true

LHKeycloakClientScope.spec.clientScope

^{^{↩ Parent}}

Name	Type	Description	Required
name	string	Validations: self == oldSelf: name is immutable once the resource has been created	true
protocol	string		true
description	string		false
displayOnConsentScreen	boolean		false
includeInTokenScope	boolean		false
protocolMappers	[]object		false

LHKeycloakClientScope.spec.clientScope.protocolMappers[index]

^{^{↩ Parent}}

Name	Type	Required
name	string	true
protocolMapper	string	true
config	map[string]string	false
protocol	string	false

LHKeycloakClientScope.spec.realm

^{^{↩ Parent}}

Name

Type

Description

Required

lhKeycloakRealmRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHKeycloakClientScope.spec.realm.lhKeycloakRealmRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakClientScope.status

^{^{↩ Parent}}

Name	Type	Description	Required
clientScope	string	Client Scope	false
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
realmName	string	Keycloak realm name	false
recordId	string		false

LHKeycloakClientScope.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakOIDCProvider

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakOIDCProvider	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	Validations: self.providerId != 'oidc' \|\| (has(self.authorizationUrl) && self.authorizationUrl != ''): authorizationUrl is required when providerId is oidc self.providerId != 'oidc' \|\| (has(self.tokenUrl) && self.tokenUrl != ''): tokenUrl is required when providerId is oidc	false
status	object		false

LHKeycloakOIDCProvider.spec

^{^{↩ Parent}}

Name	Type	Description	Required
alias	string	The alias uniquely identifies an identity provider and it is also used to build the redirect uri Validations: self == oldSelf: alias is immutable once the resource is created	true
credentials	object	Configuration of the ClientId and ClientSecret for the OAuth client	true
providerId	enum	Enum: github, google, oidc	true
realm	object	Realm this Identity Provider belongs to	true
authorizationUrl	string	URL of the OpenID Provider's OAuth 2.0 Authorization Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.	false
clientAuthMethod	enum	The client authentication method. Only client_secret_basic and client_secret_post are supported Enum: client_secret_basic, client_secret_post Default: client_secret_post	false
defaultScope	string	The scopes to be sent when asking for authorization. It can be a space-separated list of scopes	false
displayName	string	The name to be displayed on the frontend for this identity provider	false
enabled	boolean	If true, this identity provider will be turned on Default: true	false
firstBrokerLoginFlowAlias	object	Reference or alias of the authentication flow to use as first broker login flow. Only one value is accepted Validations: has(self.lhKeycloakAuthenticationFlowRef) != has(self.alias): Exactly one of lhKeycloakAuthenticationFlowRef or alias must be configured.	false
forwardParameters	string	Non OpenID Connect/OAuth standard query parameters to be forwarded to external IDP from the initial application request to Authorization Endpoint. Multiple parameters can be entered, separated by comma.	false
hideOnLogin	boolean	If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter. Default: false	false
issuer	string	URL using the https scheme with no query or fragment components that the OpenID Provider's asserts as its Issuer Identifier.	false
jwksUrl	string	URL of the OpenID Provider's JWK Set document. If validateSignature is true, then this property is required	false
linkOnly	boolean	If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider Default: false	false
logoutUrl	string	URL of the OpenID Provider's endpoint/page for ending the session.	false
storeToken	boolean	Enable/disable if tokens must be stored after authenticating users. Default: false	false
syncMode	enum	Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider. Enum: FORCE, IMPORT, LEGACY Default: LEGACY	false
tokenUrl	string	URL of the OpenID Provider's OAuth 2.0 Token Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.	false
trustEmail	boolean	If enabled, email provided by this provider is not verified even if verification is enabled for the realm. Default: false	false
userInfoUrl	string	URL of the OpenID Provider's UserInfo Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.	false
validateSignature	boolean	If true, validates the token signature using the keys from the jwksUrl Default: false	false

LHKeycloakOIDCProvider.spec.credentials

^{^{↩ Parent}}

Configuration of the ClientId and ClientSecret for the OAuth client

Name	Type	Description	Required
secretRef	object	Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail	true

LHKeycloakOIDCProvider.spec.credentials.secretRef

^{^{↩ Parent}}

Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail

Name	Type	Description	Required
name	string		true

LHKeycloakOIDCProvider.spec.realm

^{^{↩ Parent}}

Realm this Identity Provider belongs to

Name	Type	Description	Required
lhKeycloakRealmRef	object		true

LHKeycloakOIDCProvider.spec.realm.lhKeycloakRealmRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string	LHKeycloakRealm name	true

LHKeycloakOIDCProvider.spec.firstBrokerLoginFlowAlias

^{^{↩ Parent}}

Reference or alias of the authentication flow to use as first broker login flow. Only one value is accepted

Name	Type	Description	Required
alias	string	Alias of the authentication flow in Keycloak.	false
lhKeycloakAuthenticationFlowRef	object	Reference to an LHKeycloakAuthenticationFlow resource.	false

LHKeycloakOIDCProvider.spec.firstBrokerLoginFlowAlias.lhKeycloakAuthenticationFlowRef

^{^{↩ Parent}}

Reference to an LHKeycloakAuthenticationFlow resource.

Name	Type	Description	Required
name	string	Name of the LHKeycloakAuthenticationFlow resource.	true

LHKeycloakOIDCProvider.status

^{^{↩ Parent}}

Name	Type	Description	Required
alias	string	OIDC unique alias to identify within the realm	false
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
realmName	string		false
status	string	Current identity provider state. `Enabled`: the identity provider was created and is enabled. `Disable`: the identity provider was created and is disabled.	false

LHKeycloakOIDCProvider.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakRealm

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakRealm	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKeycloakRealm.spec

^{^{↩ Parent}}

Name	Type	Description	Required
keycloak	object		true
realm	object		true

LHKeycloakRealm.spec.keycloak

^{^{↩ Parent}}

Name	Type	Description	Required
lhKeycloakRef	object		true

LHKeycloakRealm.spec.keycloak.lhKeycloakRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakRealm.spec.realm

^{^{↩ Parent}}

Name	Type	Required
name	string	true
accessTokenLifespan	integer	false
authentication	object	false
bruteForceProtected	boolean	false
displayName	string	false
duplicateEmailsAllowed	boolean	false
editUsernameAllowed	boolean	false
enabled	boolean	false
failureFactor	integer	false
loginTheme	string	false
loginWithEmailAllowed	boolean	false
organizationsEnabled	boolean	false
registrationAllowed	boolean	false
registrationEmailAsUsername	boolean	false
resetPasswordAllowed	boolean	false
smtpServer	object	false
sslRequired	string	false
ssoSessionIdleTimeout	integer	false
ssoSessionMaxLifespan	integer	false

LHKeycloakRealm.spec.realm.authentication

^{^{↩ Parent}}

Name	Type	Description	Required
policies	object		false

LHKeycloakRealm.spec.realm.authentication.policies

^{^{↩ Parent}}

Name

Type

Description

Required

passwordPolicies

object

Validations:

(!has(self.hashAlgorithm) || size(self.hashAlgorithm.trim()) > 0) && (!has(self.regexPattern) || size(self.regexPattern.trim()) > 0) && (!has(self.passwordBlacklist) || size(self.passwordBlacklist.trim()) > 0) : String password policies must be non-empty

false

LHKeycloakRealm.spec.realm.authentication.policies.passwordPolicies

^{^{↩ Parent}}

Name	Type	Description	Required
digits	integer	Digits Minimum: 1	false
forceExpiredPasswordChange	integer	Expire Password Minimum: 1	false
hashAlgorithm	string	Hashing Algorithm	false
hashIterations	integer	Hashing Iterations Minimum: 1	false
length	integer	Minimum Length Minimum: 1	false
lowerCase	integer	Lowercase Characters Minimum: 1	false
maxAuthAge	integer	Maximum Authentication Age Minimum: 1	false
maxLength	integer	Maximum Length Minimum: 1	false
notContainsUsername	boolean	Not Contains Username	false
notEmail	boolean	Not Email	false
notUsername	boolean	Not Username	false
passwordAge	integer	Not Recently Used (In Days) Minimum: 1	false
passwordBlacklist	string	Password Blacklist: The blacklist file must exist before setting this value.	false
passwordHistory	integer	Not Recently Used Minimum: 1	false
recoveryCodesWarningThreshold	integer	Recovery Codes Warning Threshold Minimum: 1	false
regexPattern	string	Regular Expression	false
specialChars	integer	Special Characters Minimum: 1	false
upperCase	integer	Uppercase Characters Minimum: 1	false

LHKeycloakRealm.spec.realm.smtpServer

^{^{↩ Parent}}

Name	Type	Required
from	string	true
smtp	object	true
envelopeFrom	string	false
fromDisplayName	string	false
replyTo	string	false
replyToDisplayName	string	false

LHKeycloakRealm.spec.realm.smtpServer.smtp

^{^{↩ Parent}}

Name	Type	Description	Required
host	string		true
allowUTF8	boolean		false
auth	object	Validations: has(self.password): An authentication method must be provided (currently only password is supported).	false
debug	boolean		false
port	integer		false
ssl	boolean		false

LHKeycloakRealm.spec.realm.smtpServer.smtp.auth

^{^{↩ Parent}}

Name	Type	Description	Required
username	string		true
password	object	The password for the SMTP server. The value is expected to be a reference to a secret that contains the password in a key named 'password'.	false

LHKeycloakRealm.spec.realm.smtpServer.smtp.auth.password

^{^{↩ Parent}}

The password for the SMTP server. The value is expected to be a reference to a secret that contains the password in a key named 'password'.

Name	Type	Description	Required
secretRefSpec	object	The reference to the secret that contains the SMTP password. The secret should contain a key named 'password' with the SMTP password as its value.	true

LHKeycloakRealm.spec.realm.smtpServer.smtp.auth.password.secretRefSpec

^{^{↩ Parent}}

The reference to the secret that contains the SMTP password. The secret should contain a key named 'password' with the SMTP password as its value.

Name	Type	Description	Required
name	string		true

LHKeycloakRealm.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
realmName	string		false
status	string	Current realm state. `Enabled`: the realm was created and is enabled. `Disable`: the realm was created and is disabled.	false

LHKeycloakRealm.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakRole

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakRole	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	Validations: has(self.clientRole) != has(self.realmRole): Exactly one of 'clientRole' or 'realmRole' must be specified oldSelf == null \|\| self.name == oldSelf.name: 'name' is immutable and cannot be changed once set.	false
status	object		false

LHKeycloakRole.spec

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true
clientRole	object	Client role	false
composite	[]object	Composite roles	false
description	string	Description of the role	false
realmRole	object	Realm role	false

LHKeycloakRole.spec.clientRole

^{^{↩ Parent}}

Client role

Name

Type

Description

Required

lhKeycloakClientRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHKeycloakRole.spec.clientRole.lhKeycloakClientRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakRole.spec.composite[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lhKeycloakRoleRef	object		true

LHKeycloakRole.spec.composite[index].lhKeycloakRoleRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakRole.spec.realmRole

^{^{↩ Parent}}

Realm role

Name

Type

Description

Required

lhKeycloakRealmRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHKeycloakRole.spec.realmRole.lhKeycloakRealmRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakRole.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
keycloak	object	Details about the Keycloak role	false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHKeycloakRole.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakRole.status.keycloak

^{^{↩ Parent}}

Details about the Keycloak role

Name	Type	Description	Required
clientId	string	KyecloakClient owner ID for the role	false
id	string	Keycloak assigned ID for the role	false
realm	string	Keycloak realm for the role	false

LHKeycloak

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloak	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKeycloak.spec

^{^{↩ Parent}}

Name	Type	Description	Required
http	object	HTTP listener configurations	true
replicas	integer	The number of Keycloak pods to deploy. A minimum of 1 is required Minimum: 1	true
additionalOptions	[]object	Additional Keycloak server options. Use Keycloak option names without the 'kc.' prefix.	false
cache	object	Cache configurations	false
database	object	Database configurations	false
defaultLabels	map[string]string	Labels to place on all dependent resources of the `LHKeycloak`.	false
hostname	object	Hostname configurations. More info at https://www.keycloak.org/server/hostname	false
image	string	Image to use for Keycloak Server. If not set defaults to quay.io/keycloak/keycloak:26.4.2	false
imagePullPolicy	enum	Image pull policy for Keycloak pods Enum: Always, IfNotPresent, Never	false
logging	object	Logging configuration for Keycloak	false
operator	object	Configurations for the operator connection with the Keycloak server	false
outgoingHttp	object	Configuring outgoing HTTP requests. More info at https://www.keycloak.org/server/outgoinghttp#_client_configuration_command	false
podMonitor	object	Configuration for the PodMonitor to be deployed for this LHKeycloak	false
resources	object	Configures compute resources for the keycloak pods.	false
storage	object	Storage configuration for Keycloak. Validations: oldSelf == null \|\| !quantity(string(self.volumeSize)) .isLessThan(quantity(string(oldSelf.volumeSize))) : Cannot decrease volume size.	false

LHKeycloak.spec.http

^{^{↩ Parent}}

HTTP listener configurations

Name	Type	Description	Required
enableHttp	boolean	Enables the HTTP listener. If false and tls is not provided, then an error will be thrown Default: false	false
httpPort	integer	The used HTTP port. Defaults to 8000 Default: 8000	false
infrastructure	object		false
tls	object	Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS listener.	false

LHKeycloak.spec.http.infrastructure

^{^{↩ Parent}}

Name	Type	Description	Required
tlsRoute	object	Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.	false

LHKeycloak.spec.http.infrastructure.tlsRoute

^{^{↩ Parent}}

Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.

Name	Type	Description	Required
gatewayRef	object	Specifies the Gateway to create routes for.	true
hostname	string	The host to be added to the TLSRoute hostnames	true
annotations	map[string]string	Optional additional annotations to apply to the generated TLSRoute.	false
labels	map[string]string	Optional additional labels to apply to the generated TLSRoute.	false

LHKeycloak.spec.http.infrastructure.tlsRoute.gatewayRef

^{^{↩ Parent}}

Specifies the Gateway to create routes for.

Name	Type	Description	Required
name	string	The name of the Gateway.	true
sectionName	string	The sectionName, usually a port name, of the referenced Gateway to attach to.	true
namespace	string	The namespace of the Gateway to attach to. Defaults to current namespace.	false

LHKeycloak.spec.http.tls

^{^{↩ Parent}}

Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS listener.

Name	Type	Description	Required
secretRef	object	Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail	true

LHKeycloak.spec.http.tls.secretRef

^{^{↩ Parent}}

Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail

Name	Type	Description	Required
name	string		true

LHKeycloak.spec.additionalOptions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
name	string	Keycloak option name without the 'kc.' prefix. Example: SPI-CONNECTIONS-HTTP-CLIENT-DEFAULT-CONNECTION-TTL-MILLIS	true
value	string	Plain text value for the option	true

LHKeycloak.spec.cache

^{^{↩ Parent}}

Cache configurations

Name

Type

Description

Required

encryptionEnabled

boolean

Automatically generates certs and the appropriate configuration for encrypting internal cache communication when type is ispn. LHO_CERTMANAGER_ENABLED should be set to true for this feature to work

true

type

enum

Defines the cache mechanism, either ispn or local. Defaults to ispn

Enum: ispn, local

false

LHKeycloak.spec.database

^{^{↩ Parent}}

Database configurations

Name	Type	Description	Required
externalRef	object		false

LHKeycloak.spec.database.externalRef

^{^{↩ Parent}}

Name	Type	Description	Required
credentials	object		true
database	string	Sets the database name of the default JDBC URL of the chosen vendor.	true
host	string	Sets the hostname of the default JDBC URL of the chosen vendor.	true
caCert	object	CA cert to encrypt/decrypt the communication between keycloak and the database. The secret should contain a ca.crt key. Should be set if the database is using a cert not signed by a well-known CA. The certificate will be placed in the /tls/database/ca.crt absolute path. It will also be loaded into the default JVM truststore. If the JDBC driver doesn't support the default JVM certs then you will need to specify the cert path in the properties	false
port	integer	Sets the port of the default JDBC URL of the chosen vendor. Defaults to 5432 Default: 5432	false
properties	string	Sets the properties of the default JDBC URL of the chosen vendor. Make sure to set the properties accordingly to the format expected by the database vendor, as well as appending the right character at the beginning of this property value. e.g. "?sslmode=verify-full&sslrootcert=/customCA/database/ca.crt"	false
vendor	enum	The database vendor. Accepted Values: dev-file, dev-mem, mariadb, mssql, mysql, oracle, and postgres. Defaults to dev-file Enum: dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres	false

LHKeycloak.spec.database.externalRef.credentials

^{^{↩ Parent}}

Name	Type	Description	Required
secretRef	object	Reference to secret of type kubernetes.io/basic-auth with username and password keys	true

LHKeycloak.spec.database.externalRef.credentials.secretRef

^{^{↩ Parent}}

Reference to secret of type kubernetes.io/basic-auth with username and password keys

Name	Type	Description	Required
name	string		true

LHKeycloak.spec.database.externalRef.caCert

^{^{↩ Parent}}

CA cert to encrypt/decrypt the communication between keycloak and the database. The secret should contain a ca.crt key. Should be set if the database is using a cert not signed by a well-known CA. The certificate will be placed in the /tls/database/ca.crt absolute path. It will also be loaded into the default JVM truststore. If the JDBC driver doesn't support the default JVM certs then you will need to specify the cert path in the properties

Name	Type	Description	Required
secretRef	object		true

LHKeycloak.spec.database.externalRef.caCert.secretRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloak.spec.hostname

^{^{↩ Parent}}

Hostname configurations. More info at https://www.keycloak.org/server/hostname

Name	Type	Description	Required
admin	string	The hostname for accessing the administration console.	false
enableBackchannelDynamic	boolean	Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path. Set to true if your application accesses Keycloak via a private network. Defaults to false Default: false	false
enableDebug	boolean	Enables the hostname debug page that is accessible at /realms/master/hostname-debug. Defaults to false Default: false	false
enableStrict	boolean	Enables dynamically resolving the hostname from request headers. Defaults to true Default: true	false
hostname	string	Hostname for the Keycloak server	false

LHKeycloak.spec.logging

^{^{↩ Parent}}

Logging configuration for Keycloak

Name	Type	Description	Required
consoleJsonFormat	string	JSON console log format. Supported values: default, ecs	false
consoleOutput	string	Console log output format. Supported values: default, json	false
level	string	Root log level. Example: info, debug, warn	false

LHKeycloak.spec.operator

^{^{↩ Parent}}

Configurations for the operator connection with the Keycloak server

Name	Type	Description	Required
caCert	object	CA cert to encrypt/decrypt the communication within the keycloak service and the operator. Should be set if the Keycloak server is using a cert not signed by a well-known CA. The secret should contain a ca.crt key	false
keycloakUrl	string	URL for the operator to connect with Keycloak. Should be set if the operator is not able to reach the Keycloak server through the internal kubernetes URL. Defaults to https://`lhkeycloak-name`-service.`namespace`.svc.cluster.local:8443	false

LHKeycloak.spec.operator.caCert

^{^{↩ Parent}}

CA cert to encrypt/decrypt the communication within the keycloak service and the operator. Should be set if the Keycloak server is using a cert not signed by a well-known CA. The secret should contain a ca.crt key

Name	Type	Description	Required
secretRef	object		true

LHKeycloak.spec.operator.caCert.secretRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloak.spec.outgoingHttp

^{^{↩ Parent}}

Configuring outgoing HTTP requests. More info at https://www.keycloak.org/server/outgoinghttp#_client_configuration_command

Name

Type

Description

Required

disableTrustManager

boolean

If an outgoing request requires HTTPS and this configuration option is set to true, you do not have to specify a truststore. This setting should be used only during development and never in production because it will disable verification of SSL certificates. Default: false.

Default: false

false

LHKeycloak.spec.podMonitor

^{^{↩ Parent}}

Configuration for the PodMonitor to be deployed for this LHKeycloak

Name	Type	Description	Required
labels	map[string]string	Labels to add to the generated `PodMonitor` resources	false
metricRelabelings	[]object	Relabelings for the metrics exposed by the keycloak	false

LHKeycloak.spec.podMonitor.metricRelabelings[index]

^{^{↩ Parent}}

Name	Type	Required
action	string	false
modulus	integer	false
regex	string	false
replacement	string	false
separator	string	false
sourceLabels	[]string	false
targetLabel	string	false

LHKeycloak.spec.resources

^{^{↩ Parent}}

Configures compute resources for the keycloak pods.

Name	Type	Required
claims	[]object	false
limits	map[string]int or string	false
requests	map[string]int or string	false

LHKeycloak.spec.resources.claims[index]

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		false
request	string		false

LHKeycloak.spec.storage

^{^{↩ Parent}}

Storage configuration for Keycloak.

Name	Type	Description	Required
storageClassName	string	The name of the storageclass with which to provision storage.	true
volumeSize	int or string	The size of the persistent volume to provision.	true

LHKeycloak.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
connectionHash	string		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHKeycloak.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakTheme

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakTheme	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKeycloakTheme.spec

^{^{↩ Parent}}

Name

Type

Description

Required

image

string

Container image that contains the Keycloak theme

true

keycloak

object

Target LHKeycloak where this theme should be copied

true

imagePullPolicy

enum

Image pull policy for the theme copy job

Enum: Always, IfNotPresent, Never
Default: IfNotPresent

false

LHKeycloakTheme.spec.keycloak

^{^{↩ Parent}}

Target LHKeycloak where this theme should be copied

Name	Type	Description	Required
lhKeycloakRef	object		true

LHKeycloakTheme.spec.keycloak.lhKeycloakRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakTheme.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
keycloakName	string		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
replicas	integer		false

LHKeycloakTheme.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHKeycloakUser

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHKeycloakUser	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHKeycloakUser.spec

^{^{↩ Parent}}

Name	Type	Description	Required
realm	object		true
user	object		true

LHKeycloakUser.spec.realm

^{^{↩ Parent}}

Name

Type

Description

Required

lhKeycloakRealmRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHKeycloakUser.spec.realm.lhKeycloakRealmRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHKeycloakUser.spec.user

^{^{↩ Parent}}

Name	Type	Description	Required
username	string	Validations: self == oldSelf: username is immutable; delete and recreate the LHKeycloakUser to use a different username	true
clientRoles	[]object	List of roles which belongs to a specific client	false
email	string		false
emailVerified	boolean		false
enabled	boolean		false
firstName	string		false
groups	[]string	Group paths. Example: /my-groups or /my-group/my-child-group	false
lastName	string		false
password	object		false
realmRoles	[]string	List of global roles, belonging to the realm	false
requiredActions	[]string		false

LHKeycloakUser.spec.user.clientRoles[index]

^{^{↩ Parent}}

Name	Type	Description	Required
clientId	string		true
roles	[]string		true

LHKeycloakUser.spec.user.password

^{^{↩ Parent}}

Name	Type	Description	Required
secretKeyRef	object	External secret to extract the password from. Keycloak will create a secret if empty	true

LHKeycloakUser.spec.user.password.secretKeyRef

^{^{↩ Parent}}

External secret to extract the password from. Keycloak will create a secret if empty

Name	Type	Description	Required
key	string	The key of the data	true
name	string	The name of the Secret	true

LHKeycloakUser.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
realmName	string	Keycloak realm name	false
recordId	string		false
status	string	Current user state. `Enabled`: the user was created and is enabled. `Disabled`: the user was created and is disabled.	false
username	string	Username used for OAuth authentication	false

LHKeycloakUser.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHOperator

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHOperator	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHOperator.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
reconciledBy	[]string		false

LHOperator.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHPrincipal

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHPrincipal	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHPrincipal.spec

^{^{↩ Parent}}

Name	Type	Description	Required
lhCluster	object	Specifies the LittleHorse Cluster	true
globalACLs	[]object	Global ACL's to add to the `Principal` to be created in the LH Server. These permissions apply to all `Tenant`s inside the LH Server.	false
perTenantACLs	[]object	Allows assigning permissions to the `Principal` to access specific `Tenant`s inside the LH Server.	false
principalName	string	The name of the `Principal` to be created in the LH Server. If null, uses the LHPrincipal name. Validations: self == oldSelf: Cannot change principalName after creation	false

LHPrincipal.spec.lhCluster

^{^{↩ Parent}}

Specifies the LittleHorse Cluster

Name	Type	Description	Required
lhClusterRef	object	Specifies a LittleHorse Cluster managed by the same Operator	true

LHPrincipal.spec.lhCluster.lhClusterRef

^{^{↩ Parent}}

Specifies a LittleHorse Cluster managed by the same Operator

Name

Type

Description

Required

name

string

Specifies a the name of the LittleHorse Cluster

Validations:

self == oldSelf: name is immutable

true

LHPrincipal.spec.globalACLs[index]

^{^{↩ Parent}}

Name	Type	Description	Required
actions	[]string		false
resource	string		false

LHPrincipal.spec.perTenantACLs[index]

^{^{↩ Parent}}

Name	Type	Description	Required
acls	[]object		false
tenant	string		false

LHPrincipal.spec.perTenantACLs[index].acls[index]

^{^{↩ Parent}}

Name	Type	Description	Required
actions	[]string		false
resource	string		false

LHPrincipal.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
isCreated	boolean	DEPRECATED. Please check the for an Available condition instead. Whether the Principal has been created in the LH Server	false
lhCluster	string	The LHCluster that the `Principal` belongs to	false
observedGeneration	integer		false
principalId	string	The ID of the created `Principal` in the LHCluster.	false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHPrincipal.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHQuota

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHQuota	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHQuota.spec

^{^{↩ Parent}}

Name	Type	Description	Required
lhCluster	object	Specifies the LittleHorse Cluster	true
quotas	object	The quota limits to enforce in the LittleHorse Cluster.	true
tenantName	string	The name of the Tenant governed by this quota. Validations: self == oldSelf: Cannot change tenantName after creation	true
principalName	string	The name of the Principal governed by this quota. If omitted, the quota applies to all Principals in the Tenant. Validations: self == oldSelf: Cannot change principalName after creation	false

LHQuota.spec.lhCluster

^{^{↩ Parent}}

Specifies the LittleHorse Cluster

Name	Type	Description	Required
lhClusterRef	object	Specifies a LittleHorse Cluster managed by the same Operator	true

LHQuota.spec.lhCluster.lhClusterRef

^{^{↩ Parent}}

Specifies a LittleHorse Cluster managed by the same Operator

Name

Type

Description

Required

name

string

Specifies a the name of the LittleHorse Cluster

Validations:

self == oldSelf: name is immutable

true

LHQuota.spec.quotas

^{^{↩ Parent}}

The quota limits to enforce in the LittleHorse Cluster.

Name	Type	Description	Required
writeRequestsPerSecond	integer	The maximum number of mutating unary gRPC requests allowed per second.	true

LHQuota.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
lhCluster	string	The LHCluster that the Quota belongs to	false
observedGeneration	integer		false
principalId	string	The Principal governed by the Quota in the LHCluster, if any.	false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
tenantId	string	The Tenant governed by the Quota in the LHCluster.	false

LHQuota.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHTenant

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHTenant	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHTenant.spec

^{^{↩ Parent}}

Name	Type	Description	Required
lhCluster	object	Specifies the LittleHorse Cluster	true
defaultLabels	map[string]string	Labels to place on all dependent resources of the `LHTenant`.	false
outputTopic	object	Specifies the configuration of the tenant output topic to export data in real-time	false
tenantName	string	Name of the `Tenant` in LittleHorse. If not provided, inferred from LHTenant name.	false

LHTenant.spec.lhCluster

^{^{↩ Parent}}

Specifies the LittleHorse Cluster

Name	Type	Description	Required
lhClusterRef	object	Specifies a LittleHorse Cluster managed by the same Operator	true

LHTenant.spec.lhCluster.lhClusterRef

^{^{↩ Parent}}

Specifies a LittleHorse Cluster managed by the same Operator

Name

Type

Description

Required

name

string

Specifies a the name of the LittleHorse Cluster

Validations:

self == oldSelf: name is immutable

true

LHTenant.spec.outputTopic

^{^{↩ Parent}}

Specifies the configuration of the tenant output topic to export data in real-time

Name Type Description Required

executionTopic

object

Enables the automatic creation of the execution output topic using KafkaTopic from Strimzi. The cleanup.policy of this topic will always be delete. This only works when Strimzi is enabled and the LHCluster is connected to Kafka using strimziClusterRef or lhKafkaRef

false

metadataTopic

object

Enables the automatic creation of the metadata output topic using KafkaTopic from Strimzi. The cleanup.policy of this topic will always be delete and the partition number will always be 1. This only works when Strimzi is enabled and the LHCluster is connected to Kafka using strimziClusterRef or lhKafkaRef

false

recordingLevel

enum

Configure default recording level of Output Topic events. Possible options are: ALL_ENTITY_EVENTS (all updates for entities from all WfSpecs, TaskDefs, WorkflowEventDefs, UserTaskDefs, and ExternalEventDefs are sent to the output topic) and NO_ENTITY_EVENTS (no events are sent to the output topic)

Enum: ALL_ENTITY_EVENTS, NO_ENTITY_EVENTS
Default: NO_ENTITY_EVENTS

false

LHTenant.spec.outputTopic.executionTopic

^{^{↩ Parent}}

Name

Type

Description

Required

configs

map[string]string

Map to override topic configurations. The cleanup.policy is not overridable and will always be delete

false

partitions

integer

Number of partitions for the topic. Defaults to 12

Default: 12

false

replicas

integer

Number of replicas for the topic. If not set defaults to the broke configuration

false

LHTenant.spec.outputTopic.metadataTopic

^{^{↩ Parent}}

Name	Type	Description	Required
configs	map[string]string	Map to override topic configurations. The cleanup.policy is not overridable and will always be delete	false
replicas	integer	Number of replicas for the topic. If not set defaults to the broke configuration	false

LHTenant.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
isCreated	boolean	DEPRECATED. Please check for a Available condition instead. Whether the `Tenant` has been successfully created in the LH Cluster	false
lhCluster	string	The LHCluster that the Tenant belongs to	false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
tenantId	string	The ID of the created `Tenant` in the LHCluster.	false

LHTenant.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHUserTasksBridgeBackend

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHUserTasksBridgeBackend	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHUserTasksBridgeBackend.spec

^{^{↩ Parent}}

Name	Type	Description	Required
lhCluster	object	Configurations for the UTB Backend connection with the LH Kernel	true
replicas	integer	The number of LH UserTasksBridge Backend pods to deploy. A minimum of 1 is required Minimum: 1	true
defaultLabels	map[string]string	Labels to place on all dependent resources of the `LHUserTasksBridgeBackend`.	false
image	string	Image to use for LH UserTasksBridge Backend. If not set defaults to ghcr.io/littlehorse-enterprises/lh-user-tasks-bridge-backend:0.16.0 Default: ghcr.io/littlehorse-enterprises/lh-user-tasks-bridge-backend:0.16.0	false
imagePullPolicy	enum	Image pull policy for LH UserTasksBridge Backend pods Enum: Always, IfNotPresent, Never	false
infrastructure	object		false
resources	object	Configures compute resources for the UTB Backend pods.	false
tls	object	Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS.	false

LHUserTasksBridgeBackend.spec.lhCluster

^{^{↩ Parent}}

Configurations for the UTB Backend connection with the LH Kernel

Name	Type	Description	Required
externalClusterRef	object	Specifies a LittleHorse Cluster that might be managed by the same Operator or not	true

LHUserTasksBridgeBackend.spec.lhCluster.externalClusterRef

^{^{↩ Parent}}

Specifies a LittleHorse Cluster that might be managed by the same Operator or not

Name	Type	Description	Required
host	string	The LH Kernel host	true
caCert	object	Specifies the custom CA cert to use to communicate with the LH Kernel. Useful when using self-signed certificates	false
oauth	object	Specifies the OAuth configuration to authenticate to the LH Kernel. If not provided, then the communication is unauthenticated	false
port	integer	The LH Kernel host Default: 2023	false
protocol	enum	Specifies the protocol to communicate with the LH Kernel. Possible values are TLS and PLAINTEXT. Defaults to PLAINTEXT when null or to TLS when a caCert is provided Enum: PLAINTEXT, TLS Default: PLAINTEXT	false

LHUserTasksBridgeBackend.spec.lhCluster.externalClusterRef.caCert

^{^{↩ Parent}}

Specifies the custom CA cert to use to communicate with the LH Kernel. Useful when using self-signed certificates

Name	Type	Description	Required
secretRef	object	Specifies a secret that should contain a ca.crt key	true

LHUserTasksBridgeBackend.spec.lhCluster.externalClusterRef.caCert.secretRef

^{^{↩ Parent}}

Specifies a secret that should contain a ca.crt key

Name	Type	Description	Required
name	string		true

LHUserTasksBridgeBackend.spec.lhCluster.externalClusterRef.oauth

^{^{↩ Parent}}

Specifies the OAuth configuration to authenticate to the LH Kernel. If not provided, then the communication is unauthenticated

Name	Type	Description	Required
accessTokenUrl	string	URL of the OIDC provider access token endpoint	true
credentials	object	Configuration of the ClientId and ClientSecret for the OAuth client	true

LHUserTasksBridgeBackend.spec.lhCluster.externalClusterRef.oauth.credentials

^{^{↩ Parent}}

Configuration of the ClientId and ClientSecret for the OAuth client

Name	Type	Description	Required
secretRef	object	Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail	true

LHUserTasksBridgeBackend.spec.lhCluster.externalClusterRef.oauth.credentials.secretRef

^{^{↩ Parent}}

Reference to secret with a clientId and a clientSecret key. If those keys are not present, the deployment will fail

Name	Type	Description	Required
name	string		true

LHUserTasksBridgeBackend.spec.infrastructure

^{^{↩ Parent}}

Name	Type	Description	Required
tlsRoute	object	Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.	false

LHUserTasksBridgeBackend.spec.infrastructure.tlsRoute

^{^{↩ Parent}}

Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.

Name	Type	Description	Required
gatewayRef	object	Specifies the Gateway to create routes for.	true
hostname	string	The host to be added to the TLSRoute hostnames	true
annotations	map[string]string	Optional additional annotations to apply to the generated TLSRoute.	false
labels	map[string]string	Optional additional labels to apply to the generated TLSRoute.	false

LHUserTasksBridgeBackend.spec.infrastructure.tlsRoute.gatewayRef

^{^{↩ Parent}}

Specifies the Gateway to create routes for.

Name	Type	Description	Required
name	string	The name of the Gateway.	true
sectionName	string	The sectionName, usually a port name, of the referenced Gateway to attach to.	true
namespace	string	The namespace of the Gateway to attach to. Defaults to current namespace.	false

LHUserTasksBridgeBackend.spec.resources

^{^{↩ Parent}}

Configures compute resources for the UTB Backend pods.

Name	Type	Required
claims	[]object	false
limits	map[string]int or string	false
requests	map[string]int or string	false

LHUserTasksBridgeBackend.spec.resources.claims[index]

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		false
request	string		false

LHUserTasksBridgeBackend.spec.tls

^{^{↩ Parent}}

Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS.

Name	Type	Description	Required
secretRef	object	Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail	true

LHUserTasksBridgeBackend.spec.tls.secretRef

^{^{↩ Parent}}

Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail

Name	Type	Description	Required
name	string		true

LHUserTasksBridgeBackend.status

^{^{↩ Parent}}

Name	Type	Description	Required
availableProviders	[]object	List of oidc providers currently configured on the ready replicas of the backend. A provider can be configured only on one of the replicas and still appear in this list, this will happen during rolling updates	false
conditions	[]object		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHUserTasksBridgeBackend.status.availableProviders[index]

^{^{↩ Parent}}

Name	Type	Description	Required
generation	integer	Generation of the LHUserTasksBridgeOIDCProvider	true
name	string	Name of the LHUserTasksBridgeOIDCProvider	true

LHUserTasksBridgeBackend.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHUserTasksBridgeConsole

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHUserTasksBridgeConsole	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHUserTasksBridgeConsole.spec

^{^{↩ Parent}}

Name	Type	Description	Required
backend	object	The User Tasks Bridge Backend to configure	true
keycloakProvider	object		true
replicas	integer	The number of LH UserTasksBridge Console pods to deploy. A minimum of 1 is required Minimum: 1	true
callbackUrl	string	Canonical URL of the console site. Used by the Authorization Server to return the control to the Console.More information can be found here: https://authjs.dev/getting-started/deployment#auth_url	false
defaultLabels	map[string]string	Labels to place on all dependent resources of the `LHUserTasksBridgeConsole`.	false
image	string	Image to use for LH UserTasksBridge Console. If not set defaults to ghcr.io/littlehorse-enterprises/lh-user-tasks-bridge-console:0.16.0 Default: ghcr.io/littlehorse-enterprises/lh-user-tasks-bridge-console:0.16.0	false
imagePullPolicy	enum	Image pull policy for LH UserTasksBridge Console pods Enum: Always, IfNotPresent, Never	false
infrastructure	object		false
resources	object	Configures compute resources for the LH UserTasksBridge Console pods.	false
tls	object	Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS.	false

LHUserTasksBridgeConsole.spec.backend

^{^{↩ Parent}}

The User Tasks Bridge Backend to configure

Name	Type	Description	Required
externalBackendRef	object		true

LHUserTasksBridgeConsole.spec.backend.externalBackendRef

^{^{↩ Parent}}

Name	Type	Description	Required
url	string	The User Task Bridge Backend URL including port and protocol	true
caCert	object	Specifies the custom CA cert to use to communicate with the backend. Useful when using self-signed certificates	false

LHUserTasksBridgeConsole.spec.backend.externalBackendRef.caCert

^{^{↩ Parent}}

Specifies the custom CA cert to use to communicate with the backend. Useful when using self-signed certificates

Name	Type	Description	Required
secretRef	object	Specifies a secret that should contain a ca.crt key	true

LHUserTasksBridgeConsole.spec.backend.externalBackendRef.caCert.secretRef

^{^{↩ Parent}}

Specifies a secret that should contain a ca.crt key

Name	Type	Description	Required
name	string		true

LHUserTasksBridgeConsole.spec.keycloakProvider

^{^{↩ Parent}}

Name

Type

Description

Required

clientId

string

The clientId from your identity provider from which your access tokens will be generated

true

issuer

string

Identity Provider's issuer url

true

authorities

[]object

At least 1 JSON path that indicates from where the roles are going to be found within the token's claims used to differentiate between ADMIN and NON-ADMIN users. Defaults to [$.realm_access.roles, $.resource_access.*.roles]

Validations:

size(self) > 0: Should specify at least one authority

false

LHUserTasksBridgeConsole.spec.keycloakProvider.authorities[index]

^{^{↩ Parent}}

Name	Type	Description	Required
path	string	JSON path that indicates from where the roles are going to be found within the token's claims used to differentiate between ADMIN and NON-ADMIN users	true

LHUserTasksBridgeConsole.spec.infrastructure

^{^{↩ Parent}}

Name	Type	Description	Required
tlsRoute	object	Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.	false

LHUserTasksBridgeConsole.spec.infrastructure.tlsRoute

^{^{↩ Parent}}

Specifies to create TLSRoute according to the Gateway API. Requires a listener with the 'Passthrough' TLS mode enabled.

Name	Type	Description	Required
gatewayRef	object	Specifies the Gateway to create routes for.	true
hostname	string	The host to be added to the TLSRoute hostnames	true
annotations	map[string]string	Optional additional annotations to apply to the generated TLSRoute.	false
labels	map[string]string	Optional additional labels to apply to the generated TLSRoute.	false

LHUserTasksBridgeConsole.spec.infrastructure.tlsRoute.gatewayRef

^{^{↩ Parent}}

Specifies the Gateway to create routes for.

Name	Type	Description	Required
name	string	The name of the Gateway.	true
sectionName	string	The sectionName, usually a port name, of the referenced Gateway to attach to.	true
namespace	string	The namespace of the Gateway to attach to. Defaults to current namespace.	false

LHUserTasksBridgeConsole.spec.resources

^{^{↩ Parent}}

Configures compute resources for the LH UserTasksBridge Console pods.

Name	Type	Required
claims	[]object	false
limits	map[string]int or string	false
requests	map[string]int or string	false

LHUserTasksBridgeConsole.spec.resources.claims[index]

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		false
request	string		false

LHUserTasksBridgeConsole.spec.tls

^{^{↩ Parent}}

Certificate to encrypt/decrypt the network traffic. The secret should contain tls.crt and tls.key keys. Enables HTTPS.

Name	Type	Description	Required
secretRef	object	Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail	true

LHUserTasksBridgeConsole.spec.tls.secretRef

^{^{↩ Parent}}

Reference to the secret that contains a tls.crt entry for the cert and a tls.key entry for the key. If tls.cert and tls.key are not present the deployment will fail

Name	Type	Description	Required
name	string		true

LHUserTasksBridgeConsole.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
deployedGenerations	[]integer	List of this oidc provider generations currently configured on the ready replicas of the backend. During a rolling update, multiple generations could be present on different backend instances	false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHUserTasksBridgeConsole.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHUserTasksBridgeOIDCProvider

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1	true
kind	string	LHUserTasksBridgeOIDCProvider	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHUserTasksBridgeOIDCProvider.spec

^{^{↩ Parent}}

Name	Type	Description	Required
backend	object	The User Tasks Bridge Backend to configure	true
clients	[]string	The client-id from your identity provider from which your access tokens will be generated. At least one clientId is required Validations: size(self) > 0: Should specify at least one clientId	true
issuer	string	Identity Provider's issuer url	true
tenant	object	The reference to the LittleHorse Kernel tenant this provider is going to access	true
authorities	[]object	At least 1 JSON path that indicates from where the roles are going to be found within the token's claims used to differentiate between ADMIN and NON-ADMIN users. Defaults to [$.realm_access.roles, $.resource_access..roles] Validations*: size(self) > 0: Should specify at least one authority	false
clientIdClaim	string	Specifies what claim should be used to fetch the corresponding client id from the access token Default: azp	false
labelName	string	Name of the identity provider to be displayed in the UI, to differentiate your identity providers configured with the same tenant	false
userIdClaim	enum	This property allows you to set what claim you want to use as userId when performing assignments. You can set 1 of the following values: EMAIL, PREFERRED_USERNAME or SUB. It defaults to EMAIL Enum: EMAIL, PREFERRED_USERNAME, SUB Default: EMAIL	false
vendor	enum	The identity provider in charge of authenticating users. For now, KEYCLOAK is the only vendor with access to all the features that this API provides. Defaults to KEYCLOAK Enum: AUTH0, KEYCLOAK, OKTA, ZITADEL	false

LHUserTasksBridgeOIDCProvider.spec.backend

^{^{↩ Parent}}

The User Tasks Bridge Backend to configure

Name	Type	Description	Required
lhUTBBackendRef	object	The reference to the LHUserTasksBridgeBackend resource	true

LHUserTasksBridgeOIDCProvider.spec.backend.lhUTBBackendRef

^{^{↩ Parent}}

The reference to the LHUserTasksBridgeBackend resource

Name

Type

Description

Required

name

string

The name of the LHUserTasksBridgeBackend resource

Validations:

self == oldSelf: Cannot change the lhUTBBackendRef.name

true

LHUserTasksBridgeOIDCProvider.spec.tenant

^{^{↩ Parent}}

The reference to the LittleHorse Kernel tenant this provider is going to access

Name	Type	Description	Required
tenantId	string	The name of the LittleHorse Kernel tenant	true

LHUserTasksBridgeOIDCProvider.spec.authorities[index]

^{^{↩ Parent}}

Name	Type	Description	Required
path	string	JSON path that indicates from where the roles are going to be found within the token's claims used to differentiate between ADMIN and NON-ADMIN users	true

LHUserTasksBridgeOIDCProvider.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
deployedGenerations	[]integer	List of this oidc provider generations currently configured on the ready replicas of the backend. During a rolling update, multiple generations could be present on different backend instances	false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHUserTasksBridgeOIDCProvider.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

Resource Types:

LHSaddle
LHSaddleTenant
LHSaddleUser

LHSaddle

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1alpha1	true
kind	string	LHSaddle	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHSaddle.spec

^{^{↩ Parent}}

Name	Type	Description	Required
realm	object		true
externalSaddleRef	object		false

LHSaddle.spec.realm

^{^{↩ Parent}}

Name

Type

Description

Required

lhKeycloakRealmRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHSaddle.spec.realm.lhKeycloakRealmRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHSaddle.spec.externalSaddleRef

^{^{↩ Parent}}

Name	Type	Description	Required
credentials	object		true
url	string		true

LHSaddle.spec.externalSaddleRef.credentials

^{^{↩ Parent}}

Name	Type	Description	Required
secretRef	object		true

LHSaddle.spec.externalSaddleRef.credentials.secretRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHSaddle.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
connectionHash	string		false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHSaddle.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHSaddleTenant

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1alpha1	true
kind	string	LHSaddleTenant	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHSaddleTenant.spec

^{^{↩ Parent}}

Name	Type	Description	Required
saddle	object		true
tenant	object		true

LHSaddleTenant.spec.saddle

^{^{↩ Parent}}

Name

Type

Description

Required

lhSaddleRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHSaddleTenant.spec.saddle.lhSaddleRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHSaddleTenant.spec.tenant

^{^{↩ Parent}}

Name

Type

Description

Required

tenantId

string

Validations:

self == oldSelf: tenantId is immutable once the resource has been created

!self.matches('^[0-9].*'): tenantId must not start with a digit

true

description

string

false

LHSaddleTenant.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
id	string	Saddle tenant database id	false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false

LHSaddleTenant.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

LHSaddleUser

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	littlehorse.io/v1alpha1	true
kind	string	LHSaddleUser	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

LHSaddleUser.spec

^{^{↩ Parent}}

Name	Type	Description	Required
saddleTenant	object		true
user	object		true

LHSaddleUser.spec.saddleTenant

^{^{↩ Parent}}

Name

Type

Description

Required

lhSaddleTenantRef

object

Validations:

oldSelf == null || self.name == oldSelf.name: Ref 'name' is immutable and cannot be changed once set.

true

LHSaddleUser.spec.saddleTenant.lhSaddleTenantRef

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		true

LHSaddleUser.spec.user

^{^{↩ Parent}}

Name

Type

Description

Required

email

string

Validations:

self == oldSelf: email is immutable once the resource has been created

true

enabled

boolean

Default: true

false

LHSaddleUser.status

^{^{↩ Parent}}

Name	Type	Description	Required
conditions	[]object		false
id	string	Saddle database user id	false
observedGeneration	integer		false
problems	string	DEPRECATED. Please check for a ReconciliationError condition instead.	false
status	string	Current Saddle user state. `Enabled`: the user was created and is enabled. `Disabled`: the user was created and is disabled.	false

LHSaddleUser.status.conditions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
lastTransitionTime	string	The last time the condition transitioned from one status to another. The required format is ISO 8601 'yyyy-MM-ddTHH:mm:ssZ'	true
reason	string	Reason contains a programmatic identifier indicating the reason for the condition's last transition.	true
status	enum	Status of the condition, one of True, False, Unknown. Enum: False, True, Unknown	true
type	string	Type of condition	true
message	string	A human readable message indicating details about the transition.	false

littlehorse.io/v1​

LHCanaryAggregator​

LHCanaryAggregator.spec​

LHCanaryAggregator.spec.kafka​

LHCanaryAggregator.spec.kafka.lhKafkaRef​

LHCanaryAggregator.spec.kafka.lhKafkaRef.clusterWideQuotas​

LHCanaryAggregator.spec.storage​

LHCanaryAggregator.spec.podMonitor​

LHCanaryAggregator.spec.podMonitor.metricRelabelings[index]​

LHCanaryAggregator.status​

LHCanaryAggregator.status.conditions[index]​

LHCanaryMetronome​

LHCanaryMetronome.spec​

LHCanaryMetronome.spec.aggregatorRef​

LHCanaryMetronome.spec.lhCluster​

LHCanaryMetronome.spec.lhCluster.externalClusterRef​

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth​

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth.credentials​

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth.credentials.secretRef​

LHCanaryMetronome.spec.storage​

LHCanaryMetronome.status​

LHCanaryMetronome.status.conditions[index]​

LHCluster​

LHCluster.spec​

LHCluster.spec.kafka​

LHCluster.spec.kafka.externalClusterRef​

LHCluster.spec.kafka.externalClusterRef.kafkaKeyStore​

LHCluster.spec.kafka.externalClusterRef.kafkaTrustStore​

LHCluster.spec.kafka.externalClusterRef.saslJaasConfig​

LHCluster.spec.kafka.lhKafkaRef​

LHCluster.spec.kafka.lhKafkaRef.clusterWideQuotas​

LHCluster.spec.kafka.strimziClusterRef​

LHCluster.spec.kafka.strimziClusterRef.listener​

LHCluster.spec.kafka.strimziClusterRef.quotas​

LHCluster.spec.server​

LHCluster.spec.server.storage​

LHCluster.spec.server.authentication​

LHCluster.spec.server.authentication.mtls​

LHCluster.spec.server.authentication.mtls.clientCaCert​

LHCluster.spec.server.authentication.mtls.clientCaCert.secretRef​

LHCluster.spec.server.authentication.oauth​

LHCluster.spec.server.authentication.oauth.credentials​

LHCluster.spec.server.authentication.oauth.credentials.secretRef​

LHCluster.spec.server.compute​

LHCluster.spec.server.compute.burstCapacity​

LHCluster.spec.server.listeners[index]​

LHCluster.spec.server.listeners[index].advertisedListeners​

LHCluster.spec.server.listeners[index].advertisedListeners.bootstrap​

LHCluster.spec.server.listeners[index].advertisedListeners.servers[index]​

LHCluster.spec.server.listeners[index].authentication​

LHCluster.spec.server.listeners[index].infrastructure​

LHCluster.spec.server.listeners[index].infrastructure.ingress​

LHCluster.spec.server.listeners[index].infrastructure.tlsRoute​

LHCluster.spec.server.listeners[index].infrastructure.tlsRoute.gatewayRef​

LHCluster.spec.server.listeners[index].tls​

LHCluster.spec.server.listeners[index].tls.issuerRef​

LHCluster.spec.server.listeners[index].tls.secretRef​

LHCluster.spec.server.logConfigMapKeyRef​

LHCluster.spec.server.rackAwareness​

LHCluster.spec.server.tolerations[index]​

LHCluster.spec.dashboard​

LHCluster.spec.dashboard.infrastructure​

LHCluster.spec.dashboard.infrastructure.ingress​

LHCluster.spec.dashboard.infrastructure.tlsRoute​

LHCluster.spec.dashboard.infrastructure.tlsRoute.gatewayRef​

LHCluster.spec.dashboard.oauth​

LHCluster.spec.dashboard.oauth.secretRef​

LHCluster.spec.dashboard.tls​

LHCluster.spec.dashboard.tls.secretRef​

LHCluster.spec.internalComms​

LHCluster.spec.podMonitor​

LHCluster.spec.podMonitor.metricRelabelings[index]​

LHCluster.status​

LHCluster.status.clusterHealth​

LHCluster.status.clusterHealth.inProgressRestorations[index]​

LHCluster.status.clusterHealth.streamTasks[index]​

LHCluster.status.clusterHealth.streamTasks[index].activeTask​

LHCluster.status.clusterHealth.streamTasks[index].standbys[index]​

LHCluster.status.conditions[index]​

LHConnector​

littlehorse.io/v1

LHCanaryAggregator

LHCanaryAggregator.spec

LHCanaryAggregator.spec.kafka

LHCanaryAggregator.spec.kafka.lhKafkaRef

LHCanaryAggregator.spec.kafka.lhKafkaRef.clusterWideQuotas

LHCanaryAggregator.spec.storage

LHCanaryAggregator.spec.podMonitor

LHCanaryAggregator.spec.podMonitor.metricRelabelings[index]

LHCanaryAggregator.status

LHCanaryAggregator.status.conditions[index]

LHCanaryMetronome

LHCanaryMetronome.spec

LHCanaryMetronome.spec.aggregatorRef

LHCanaryMetronome.spec.lhCluster

LHCanaryMetronome.spec.lhCluster.externalClusterRef

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth.credentials

LHCanaryMetronome.spec.lhCluster.externalClusterRef.oauth.credentials.secretRef

LHCanaryMetronome.spec.storage

LHCanaryMetronome.status

LHCanaryMetronome.status.conditions[index]

LHCluster

LHCluster.spec

LHCluster.spec.kafka

LHCluster.spec.kafka.externalClusterRef

LHCluster.spec.kafka.externalClusterRef.kafkaKeyStore

LHCluster.spec.kafka.externalClusterRef.kafkaTrustStore

LHCluster.spec.kafka.externalClusterRef.saslJaasConfig

LHCluster.spec.kafka.lhKafkaRef

LHCluster.spec.kafka.lhKafkaRef.clusterWideQuotas

LHCluster.spec.kafka.strimziClusterRef

LHCluster.spec.kafka.strimziClusterRef.listener

LHCluster.spec.kafka.strimziClusterRef.quotas

LHCluster.spec.server

LHCluster.spec.server.storage

LHCluster.spec.server.authentication

LHCluster.spec.server.authentication.mtls

LHCluster.spec.server.authentication.mtls.clientCaCert

LHCluster.spec.server.authentication.mtls.clientCaCert.secretRef

LHCluster.spec.server.authentication.oauth

LHCluster.spec.server.authentication.oauth.credentials

LHCluster.spec.server.authentication.oauth.credentials.secretRef

LHCluster.spec.server.compute

LHCluster.spec.server.compute.burstCapacity

LHCluster.spec.server.listeners[index]

LHCluster.spec.server.listeners[index].advertisedListeners

LHCluster.spec.server.listeners[index].advertisedListeners.bootstrap

LHCluster.spec.server.listeners[index].advertisedListeners.servers[index]

LHCluster.spec.server.listeners[index].authentication

LHCluster.spec.server.listeners[index].infrastructure

LHCluster.spec.server.listeners[index].infrastructure.ingress

LHCluster.spec.server.listeners[index].infrastructure.tlsRoute

LHCluster.spec.server.listeners[index].infrastructure.tlsRoute.gatewayRef

LHCluster.spec.server.listeners[index].tls

LHCluster.spec.server.listeners[index].tls.issuerRef

LHCluster.spec.server.listeners[index].tls.secretRef

LHCluster.spec.server.logConfigMapKeyRef

LHCluster.spec.server.rackAwareness

LHCluster.spec.server.tolerations[index]

LHCluster.spec.dashboard

LHCluster.spec.dashboard.infrastructure

LHCluster.spec.dashboard.infrastructure.ingress

LHCluster.spec.dashboard.infrastructure.tlsRoute

LHCluster.spec.dashboard.infrastructure.tlsRoute.gatewayRef

LHCluster.spec.dashboard.oauth

LHCluster.spec.dashboard.oauth.secretRef

LHCluster.spec.dashboard.tls

LHCluster.spec.dashboard.tls.secretRef

LHCluster.spec.internalComms

LHCluster.spec.podMonitor

LHCluster.spec.podMonitor.metricRelabelings[index]

LHCluster.status

LHCluster.status.clusterHealth

LHCluster.status.clusterHealth.inProgressRestorations[index]

LHCluster.status.clusterHealth.streamTasks[index]

LHCluster.status.clusterHealth.streamTasks[index].activeTask

LHCluster.status.clusterHealth.streamTasks[index].standbys[index]

LHCluster.status.conditions[index]

LHConnector