Private Ingress
PrivateIngress
Defines the high-level intent for an internal-only entry point to services.
Manages private traffic within the organization's network, translating intent into internal load balancers and network endpoints. This facilitates secure cross-project connectivity and service discovery within the private VPC infrastructure without public exposure.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | Spec |
Spec
Contains the user-defined configuration for the private ingress. Encapsulates load balancing topography, regional placement, authorization database dependencies, and the cross-project access controls underpinning the Hub and Spoke network model.
| Property | Type | Description |
|---|---|---|
| description | string | This description is optional but will drastically improve the understand of the AI assistant about the structural elements of the organization |
| authorizationDatabase | string | The name of the Database manifest to use for storing authorization policies. |
| region | string | The GCP region where the ingress gateway's compute resources will be deployed. |
| config | Config | Advanced configuration for the ingress gateway's behavior. |
| authorizedProjects | list of SourceProjectReference | A list of source projects that will be granted access to this PrivateIngress. Source project will be granted access to the Ingress gateway through HUB and SPOKE |
| domain | string | A custom domain for this private ingress. If provided, this overrides the system-generated internal domain. When set, a managed TLS certificate will be provisioned for this domain. The user is responsible for configuring DNS resolution for this domain to point to the internal load balancer's IP address. If not set, the domain defaults to '{metadata.name}.{project.computed.domain.internal}'. |
Config
| Property | Type | Description |
|---|---|---|
| timeoutSec | int64 | The overall request timeout in seconds for the backend service. |
| connectionDrainingTimeoutSec | int64 | The time, in seconds, to wait for connections to drain before shutting down a backend instance. Dictates the connection draining timeout for the backend service resources associated with this ingress. |
| customRequestHeaders | list of string | A list of custom headers to add to requests forwarded to backends. |
| customResponseHeaders | list of string | A list of custom headers to add to responses sent to clients. |
| loadBalancing | LoadBalancing | Defines the load balancing policy for the gateway's backend services. |
LoadBalancing
| Property | Type | Description |
|---|---|---|
| balancingMode | string | The load balancing algorithm to use. |
| capacityScaler | double | A value between 0.0 and 1.0 that scales the capacity of the backend service. |
| description | string | A description for the load balancing policy. |
| maxConnections | int64 | The maximum number of connections per instance. |
| maxRate | int64 | The maximum requests per second per instance. |
| maxUtilization | double | The maximum CPU utilization of an instance. |
SourceProjectReference
Fully qualified reference to a specific Project manifest.
Specifies the environment and OU coordinate of the intended project, needed since projects aren't globally unique by name alone.
| Property | Type | Description |
|---|---|---|
| name | string | The 'metadata.name' of the target 'Project' manifest being referenced. |
| environment | string | The 'metadata.name' of the 'Environment' manifest that is the parent of the target project. If omitted, it defaults to the current 'Environment'. |
| organizationalUnit | string | The 'metadata.name' of the 'OrganizationalUnit' manifest that is the parent of the target environment. If omitted, it defaults to the current 'OrganizationalUnit'. |