This page applies to Apigeeand Apigee hybrid.
View Apigee Edge
documentation.
This page is a reference for each Kubernetes resource that is supported by the Apigee Operator for Kubernetes. Unless specifically noted as Optional, all fields are required.
APIProduct
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1
|
kind
Type: |
APIProduct
|
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: APIProductSpec |
spec
defines the desired state of the APIProductSet. |
APIProductSpec
| Field | Description |
|---|---|
name
Type: |
The name of the API Product. |
approvalType
Type: |
Flag that specifies how API keys are approved to access the APIs defined by the API product.
If set to manual
, the consumer key is generated and returned as pending
.
In this case, the API keys won't work until they are explicitly approved. If set to |
description
Type: |
Description of the API product. |
displayName
Type: |
Name displayed in the UI or developer portal to developers registering for API access. |
analytics
Type: Analytics |
Defines whether analytics should be collected for operations associated with this product. |
enforcementRefs
Type: |
Array of EnforcementRef resources to apply to the API product. |
attributes
Type: |
Array of attributes that may be used to extend the default API product profile with customer-specific metadata. |
EnforcementRef
| Field | Description |
|---|---|
name
Type: |
The name of the target resource. |
kind
Type: |
APIMExtensionPolicy
|
group
Type: |
The APIGroup
for Apigee APIM Operator, which is apim.googleapis.com
. |
namespace
Type: |
(Optional) The namespace of the referent. When unspecified, the local namespace is inferred. |
Attribute
| Field | Description |
|---|---|
name
Type: |
The key of the attribute. |
value
Type: |
The value of the attribute. |
APIOperationSet
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1
|
kind
Type: |
APIOperationSet
|
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: APIOperationSetSpec |
Defines the desired state of the APIOperationSet. |
APIOperationSetSpec
| Field | Description |
|---|---|
quota
Type: Quota |
Quota definition. |
restOperations
Type: |
Array of RESTOperation definitions. |
apiProductRefs
Type: |
Array of APIProductRef resources, or references to API Products where the RESTOperations should apply. |
Quota
| Field | Description |
|---|---|
limit
Type: |
Number of request messages permitted per app by the API product for the specified interval
and timeUnit
. |
interval
Type: |
Time interval over which the number of request messages is calculated. |
timeUnit
Type: |
Time unit defined for the interval. Valid values include minute
, hour
, day
, or month
. |
RESTOperation
| Field | Description |
|---|---|
name
Type: |
The name of the of the REST operation. |
path
Type: |
In combination with methods
, path
is the HTTP path to match for a quota
and/or for an API product
. |
methods
Type: |
In combination with path
, methods
is the list (as strings
) of
applicable http methods to match for a quota
and/or for an API product
. |
APIProductRef
| Field | Description |
|---|---|
name
Type: |
The name of the target resource. |
kind
Type: |
APIProduct
|
group
Type: |
The APIGroup
for Apigee APIM Operator, which is apim.googleapis.com
. |
namespace
Type: |
(Optional) The namespace of the referent. When unspecified, the local namespace is inferred. |
APIMExtensionPolicy
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1
|
kind
Type: |
APIMExtensionPolicy |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: APIMExtensionPolicySpec |
Defines the desired state of APIMExtensionPolicy. |
APIMExtensionPolicySpec
Field
Description
apigeeEnv
(Optional) Apigee environment.
If not provided, a new environment is created and attached to all available instances.
If provided, this environment must be attached to all available instances while using an external global load balancer.
failOpen
Type:
boolean
Specifies whether or not to fail open
when the Apigee runtime is unreachable.
If set to
true
, calls to the Apigee runtime will be treated as successful even if the runtime is unreachable.timeout
Type: string
Specifies the timeout period before calls to the Apigee runtime fail, in seconds or milliseconds.
For example,
10s
.targetRef
Type: ExtensionServerRef
Identifies the Google Kubernetes Engine Gateway where the extension should be installed.
location
Type: string
Identifies the Google Cloud location where APIMExtensionPolicy is enforced.
supportedEvents
Type: List
of events
Specifies the list of extension processor events sent to Apigee. These include the following:
-
"REQUEST_HEADERS" -
"RESPONSE_HEADERS" -
"REQUEST_BODY"(Preview) -
"RESPONSE_BODY"(Preview) -
"REQUEST_TRAILERS" -
"RESPONSE_TRAILERS"
ExtensionServerRef
| Field | Description |
|---|---|
name
Type: |
The name of the target resource. |
kind
Type: |
Specifies the kind
of the target resource, for example, Gateway
or Service
. |
group
Type: |
The APIGroup
for Apigee APIM Operator, which is apim.googleapis.com
. |
namespace
Type: |
(Optional) The namespace of the referent. When unspecified, the local namespace is inferred. |
ApigeeGatewayPolicy
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
ApigeeGatewayPolicy |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: ApigeeGatewayPolicySpec |
Defines the desired state of ApigeeGatewayPolicy. |
ApigeeGatewayPolicySpec
| Field | Description |
|---|---|
ref
Type: ExtensionServerRef |
Refers to the APIM template created to govern the policies applied to the GKE Gateway. |
targetRef
Type: ExtensionServerRef |
Refers to the APIM extension policy that should apply this specific Gateway policy. Indirectly refers to the GKE Gateway. |
serviceAccount
|
(Optional) Specifies the service account used to generate Google auth tokens in an Apigee ProApigee proxy. |
ApimTemplate
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
ApimTemplate |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: ApimTemplateSpec |
Defines the desired state of ApimTemplate. |
ApimTemplateSpec
| Field | Description |
|---|---|
templates
Type: |
A list of ApimTemplateFlow resources that specify the policies that are to be executed in the request flow. |
apimTemplateRule
Type: ExtensionServerRef |
Specifies the APIM template rule that should be used to validate the applied policies. |
ApimTemplateFlow
| Field | Description |
|---|---|
policies
Type: |
A list of ConditionalParameterReference resources that specify the ordered list of policies to be executed as part of the request flow. |
condition
Type: |
Specifies the conditions for executing this resource. |
ConditionalParameterReference
| Field | Description |
|---|---|
condition
|
Specifies the conditions for executing this resource. |
ApimTemplateRule
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
ApimTemplateRule |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: ApimTemplateRuleSpec |
Defines the desired state of ApimTemplateRule. |
ApimTemplateRuleSpec
| Field | Description |
|---|---|
requiredList
|
The list of policies (as strings
) that must
be present in the ApimTemplate. |
denyList
|
The list of policies (as strings
) that should not
be present in the ApimTemplate. |
allowList
|
The list of policies (as strings
) that may
be present in the ApimTemplate but are not required. |
override
Type: |
Overrides updates to the APIM template rule in the event that APIM templates using the rule exist.
Valid values are true
or false
. |
AssignMessage (Google token injection)
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
AssignMessage |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: AssignMessageBean |
Defines the desired state of the AssignMessage policy. |
AssignMessageBean
| Field | Description |
|---|---|
setActions
Type: |
Array of SetActionsBean
objects. Replaces values of existing properties on the request or response,
as specified by the AssignTo
element. If the headers or parameters are already present in the original message, |
AssignTo
Type: AssignToBean |
Specifies which message the AssignMessage policy operates on. Options include the request, the response, or a new custom message. |
SetActionsBean
| Field | Description |
|---|---|
Authentication
Type: AuthenticationBean |
Generates Google OAuth 2.0 or OpenID Connect tokens to make authenticated calls to Google services or custom services running on certain Google Cloud products, such as Cloud Run functions and Cloud Run. |
AuthenticationBean
| Field | Description |
|---|---|
GoogleAccessToken
Type: GoogleAccessTokenBean |
Generates Google OAuth 2.0 tokens to make authenticated calls to Google services. |
GoogleIDToken
Type: GoogleIDTokenBean |
Configuration to generate an OpenID Connect Token to authenticate the target request. |
headerName
Type: |
By default, when an Authentication configuration is present, Apigee generates
a bearer token and injects it into the Authorization header of the message sent to the target system.
The headerName
element allows you to specify the name of a different
header
to hold the bearer token. |
GoogleAccessTokenBean
| Field | Description |
|---|---|
scopes
Type: |
Array of strings
that specifies a valid Google API scope. For more information, see OAuth 2.0 Scopes for Google APIs
. |
LifetimeInSeconds
Type: |
Specifies the lifetime duration of the access token in seconds. |
GoogleIDTokenBean
| Field | Description |
|---|---|
Audience
Type: AudienceBean |
The audience for the generated authentication token, such as the API or service account granted access by the token. |
IncludeEmail
Type: |
If set to true
, the generated authentication token will contain the service account email
and email_verified
claims. |
AudienceBean
| Field | Description |
|---|---|
useTargetHost
Type: |
If the value of Audience
is empty or the ref
variable does not resolve to a valid value, and useTargetUrl
is true
, then the URL of the target (excluding any query parameters) is used as the audience. |
useTargetUrl
Type: |
By default, useTargetUrl
is false
. |
AssignToBean
| Field | Description |
|---|---|
createNew
Type: |
Determines whether the policy creates a new message when assigning values. If set to true
, the policy creates a new message. |
type
Type: |
Specifies the type of the new message, when CreateNew
is set to true
true.
Valid values are request
or response
. |
Javascript
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
JavaScript |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: JavascriptBean |
Defines the desired state of the JavaScript policy. |
JavascriptBean
| Field | Description |
|---|---|
mode
Type: |
Array of strings
that specifies ProxyRequest
or ProxyResponse
. Determines whether the policy is
attached to the request flow or response flow. |
source
Type: |
Inline JavaScript code. |
timeLimit
Type: |
Specifies the timeout for JavaScript code execution. |
KVM
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
KVM |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
|
Defines the desired state of the KVM policy. |
KeyValueMapOperationsBean
| Field | Description |
|---|---|
MapName
Type: |
Enables the policy to identify which KVM to use dynamically, at runtime. For more information, see MapName element . |
expiryTimeInSecs
Type: |
Specifies the duration in seconds after which Apigee refreshes its cached value from the specified KVM. For more information, see ExpiryTimeInSecs element . |
initialEntries
Type: |
Seed values for KVMs, which are populated in the KVM when it is initialized. For more information, see InitialEntries element . |
delete
Type: |
Deletes the specified key/value pair from the KVM. For more information, see Delete element . |
get
Type: |
Retrieves the value of a key from the KVM. For more information, see Get element . |
OASValidation
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
OASValidation |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: OASValidationBean |
Defines the desired state of the OASValidation policy. |
status
Type: ApimResourceStatus |
Shows the OASValidation policy status. |
OASValidationBean
| Field | Description |
|---|---|
openApiSpec
Type: |
Specifies the OpenAPI spec in yaml
to be validated. Because this is a multiline yaml
fragment, use the "|" delimiter. |
source
Type: |
One of message
, request
, or response
. When set to request
,
it will evaluate inbound requests from client apps; when set to response
, it will
evaluate responses from target servers. When set to message
, it will automatically evaluate request
or response depending on whether the policy is attached to the request or response flow. |
options
Type: |
See OASValidationOptions /td> |
OASValidationOptions
| Field | Description |
|---|---|
validateMessageBody
Type: |
Specifies whether the policy should validate the message body against the operation's request
body schema in the OpenAPI Specification. Set to true
to validate the message body contents. Set
to false
to validate only that the message body exists. |
allowUnspecifiedParameters
Type: |
See StrictOptions |
StrictOptions
| Field | Description |
|---|---|
header
Type: |
To allow header parameters to be specified in the request that are not defined in the OpenAPI Specification, set this parameter to true
.
Otherwise, set this parameter to false
to cause policy execution to fail. |
query
Type: |
To allow query parameters to be specified in the request that are not defined in the OpenAPI Specification,
set this parameter to true
. Otherwise, set this parameter to false
to cause policy execution to fail. |
cookie
Type: |
To allow cookie parameters to be specified in the request that are not defined in the OpenAPI Specification,
set this parameter to true
. Otherwise, set this parameter to false
to cause policy execution to fail. |
ApimResourceStatus
Field
Description
currentState
Type: enum
Shows the current state of the resource:
-
RUNNING= resource is in running state. -
CREATING= resource is being created -
CREATED= resource has been created -
UPDATING= resource is being updated -
DELETING= resource is being deleted -
CREATE_UPDATE_FAILED= create or update operation failed -
DELETE_FAILED= delete operation failed
errorMessage
Type: string
Error message related to one of the failure states of
currentState
field.operationResult
Type: string
A response string from one of the long running operations related to resource creation, update, or deletion.
ServiceCallout
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
ServiceCallout |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: ServiceCalloutBean |
Defines the desired state of the ServiceCallout policy. |
status
Type: ApimResourceStatus |
Shows the ServiceCallout policy status. |
ServiceCalloutBean
| Field | Description |
|---|---|
httpTargetConnection
Type: |
Provides transport details such as URL, TLS/SSL, and HTTP properties. |
request
Type: CalloutRequest |
Specifies the variable containing the request message that gets sent from the API proxy to the other service. |
Response
Type: |
Specifies the variable containing the response message that gets returned to the API proxy from the external service. |
HttpTargetConnection
| Field | Description |
|---|---|
url
Type: |
The URL of the target service. |
properties
Type: |
HTTP transport properties to the backend service. For more information, see Endpoint properties reference . |
timeout
Type: |
The timeout in milliseconds for the service callout. For more information, see timeout . |
CalloutRequest
| Field | Description |
|---|---|
url
Type: |
The URL of the target service. |
properties
Type: |
HTTP transport properties to the backend service. For more information, see Endpoint properties reference . |
SpikeArrest
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
SpikeArrest |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: SpikeArrestBean |
Defines the desired state of the SpikeArrest policy. |
SpikeArrestBean
| Field | Description |
|---|---|
mode
Type: |
Array of strings
that specifies ProxyRequest
or ProxyResponse
. Determines whether the policy is
attached to the request flow or response flow. |
peakMessageRate
Type: peakMessageRate |
Specifies the message rate for SpikeArrest. |
useEffectiveCount
Type: |
If set to true
true, SpikeArrest is distributed in a region, with
request counts synchronized across Apigee message processors (MPs) in a region. If set to |
peakMessageRate
| Field | Description |
|---|---|
ref
Type: |
Variable referencing the rate
value. |
value
Type: |
Actual rate
value if a reference is not available. |
GenerateJWT
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
GenerateJWT |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: GenerateJWTBean |
Defines the desired state of the GenerateJWT policy. |
status
Type: ApimResourceStatus |
Shows the GenerateJWT policy status. |
GenerateJWTBean
| Field | Description |
|---|---|
subject
Type: PropertyBean |
Identifies the principal that is the subject of the JWT. For more information, see Subject element . |
issuer
Type: PropertyBean |
Identifies the principal that issued the JWT. For more information, see Issuer element . |
audience
Type: VarArrayBean |
Identifies the recipients that the JWT is intended for. For more information, see Audience element . |
id
Type: PropertyBean |
Specifies a unique identifier for the JWT. For more information, see Id element . |
expiresIn
Type: PropertyBean |
Specifies the expiration time for the JWT. For more information, see ExpiresIn element . |
notBefore
Type: PropertyBean |
Identifies the time before which the JWT must not be accepted for processing. For more information, see NotBefore element . |
additionalClaims
Type: AdditionalClaimsBean |
Specifies additional claims to include in the JWT. For more information, see AdditionalClaims element . |
compress
Type: |
Specifies whether to compress the JWT payload. For more information, see Compress element . |
PropertyBean
| Field | Description |
|---|---|
value
Type: |
The literal value of the property. |
ref
Type: |
A reference to a variable containing the value of the property. |
VarArrayBean
| Field | Description |
|---|---|
values
Type: |
An array of literal string values. |
ref
Type: |
A reference to a variable containing the array of values. |
AdditionalClaimsBean
| Field | Description |
|---|---|
claims
Type: |
A map of claim names to claim values. |
ref
Type: |
A reference to a variable containing the claims map. |
OAuthV2
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
OAuthV2 |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: OAuthV2Bean |
Defines the desired state of the OAuthV2 policy. |
status
Type: ApimResourceStatus |
Shows the OAuthV2 policy status. |
OAuthV2Bean
Field
Description
operation
Type: enum
The OAuthV2 operation to perform. Valid values are:
-
GenerateAuthorizationCode -
GenerateAccessToken -
GenerateAccessTokenImplicitGrant -
GenerateJWTAccessTokenImplicitGrant -
GenerateJWTAccessToken -
RefreshAccessToken -
RefreshJWTAccessToken -
VerifyAccessToken -
VerifyJWTAccessToken -
ValidateToken -
InvalidateToken
configRef
Type: string
(Optional) Reference to an
OAuthV2Config
custom resource name containing reusable OAuthV2 settings.scope
Type: string
generateResponse
Type: GenerateResponse
generateErrorResponse
Type: GenerateErrorResponse
expiresIn
Type: PropertyExpiryBean
refreshTokenExpiresIn
Type: PropertyExpiryBean
supportedGrantTypes
Type: array
of string
redirectURI
Type: string
The redirect URI used in the authorization code grant type. For more information, see RedirectUri element
.
responseType
Type: string
The response type for the authorization code grant type. For more information, see ResponseType element
.
clientID
Type: string
state
Type: string
The state parameter for the authorization code grant type. For more information, see State element
.
appEndUser
Type: string
code
Type: string
userName
Type: string
password
Type: string
grantType
Type: string
refreshToken
Type: string
accessToken
Type: string
cacheExpiryInSeconds
Type: PropertyExpiryBean
verifyAccessTokenPrefix
Type: string
(Optional) Prefix to use when verifying an access token.
externalAuthorization
Type: boolean
Indicates whether to use an external authorization service. For more information, see ExternalAuthorization element
.
reuseRefreshToken
Type: boolean
rfcCompliance
Type: boolean
enforceStrictCallbackURIEnforced
Type: boolean
(Optional) Enforces strict callback URI matching.
customAttributes
Type: array
of CustomAttribute
externalAccessToken
Type: string
externalRefreshToken
Type: string
storeToken
Type: string
tokens
Type: array
of Token
algorithm
Type: string
secretKey
Type: SecretKey
privateKey
Type: PrivateKey
publicKey
Type: PublicKey
GenerateResponse
| Field | Description |
|---|---|
enabled
Type: |
If set to true
or if the enabled attribute is omitted, the policy generates and returns a response. |
format
Type: |
One of XML
, FORM_PARAM
. |
GenerateErrorResponse
| Field | Description |
|---|---|
enabled
Type: |
If set to true
or if the enabled attribute is omitted, the policy generates and returns a response. |
format
Type: |
One of XML
, FORM_PARAM
. |
realm
Type: PropertyBean |
The realm to return in the WWW-Authenticate
header. |
PropertyExpiryBean
| Field | Description |
|---|---|
value
Type: |
The literal value of the expiration. |
ref
Type: |
A reference to a variable containing the expiration value. |
CustomAttribute
| Field | Description |
|---|---|
name
Type: |
The name of the custom attribute. |
ref
Type: |
A reference to a variable containing the attribute value. |
value
Type: |
The literal value of the attribute. |
SecretKey
| Field | Description |
|---|---|
value
Type: PropertyBean |
Specifies the secret key used to sign the JWT. For more information, see SecretKey element . |
PrivateKey
| Field | Description |
|---|---|
value
Type: PropertyBean |
Specifies the private key used to sign the JWT. For more information, see PrivateKey element . |
PublicKey
| Field | Description |
|---|---|
value
Type: PropertyBean |
Specifies the public key used to verify the JWT. For more information, see PublicKey element . |
ResponseCache Policy
| Field | Description |
|---|---|
apiVersion
Type: |
apim.googleapis.com/v1 |
kind
Type: |
ResponseCache |
metadata
|
Refer to the Kubernetes API documentation for the fields available in metadata
. |
spec
Type: APIExtensionPolicySpec |
Defines the desired state of ResponseCache. |
ResponseCacheBean
| Field | Description |
|---|---|
mode
Type: |
Specifies ProxyRequest
or ProxyResponse
. Determines whether the policy is
attached to the request flow or response flow. |
cacheExpiry
Type: cacheExpiry |
Provides the cacheExpiry object. |
cacheKey
Type: cacheKey |
Provides the cacheKey object. |
cacheLookupTimeOut
type: |
Specifies the cache look up timeout period. |
cacheResourceRef
type: |
Specifies the cache resource identifier using a variable reference. |
excludeErrorResponse
type: |
This policy can cache HTTP responses with any
status code. That means both success and
error responses can be cached, including 2xx
and 3xx
status codes. |
skipCacheLookupCondition
type: |
Defines an expression that, if it evaluates to true
at runtime, specifies that cache lookup should be skipped and the cache should be refreshed |
skipCachePopulationCondition
type: |
Defines an expression that, if it evaluates to true
at runtime, specifies that cache lookup should be skipped and the cache should be refreshed
at runtime, specifies that a write to the cache should be skipped. |
useAcceptHeader
type: |
Set to true
to append values from response Accept
headers to the response cache entry's cache key. |
useResponseCacheHeaders
type: |
Set to true
to have HTTP response headers considered when setting the "time to live" (TTL) of the response in the cache. |
cacheExpiry
| Field | Description |
|---|---|
expiryDate
Type: |
Specifies the date on which a cache entry should expire. |
timeOfDay
Type: |
Specifies the time of day at which a cache entry should expire. |
timeoutInSeconds
Type: |
Specifies the number of seconds after which a cache entry should expire. |
cacheKey
| Field | Description |
|---|---|
cacheKeyPrefix
Type: |
Specifies a value to use as a cache key prefix. |
fragments
Type: |
Specifies a value to be included in the cache key to create a namespace for matching requests to cached responses. |
