Public Ingress
PublicIngress
Defines the high-level intent for a publicly accessible entry point to platform services.
Translates into external load balancing infrastructure, automated SSL/TLS certificate provisioning, and DNS zone configurations. Serves as the aggregation layer for Identity-Aware Proxy (IAP) integration and centralized authorization policy enforcement.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | Spec |
Authorization
| Property | Type | Description |
|---|---|---|
| backendService | string | The self-link of the backend service for the authorization extension Cloud Run service. This service is conventionally named based on this 'PublicIngress' manifest's 'metadata.name' (e.g., '<name>-authz-ext'). |
| accessRules | ComputedAuthorizationAccess | This block is an aggregation of all 'spec.authorization.rules' from all child 'HttpRoute' and 'GrpcRoute' manifests associated with this ingress. |
LoadBalancerEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedLoadBalancerHost |
Spec
Contains the user-defined configuration for the public ingress. Encapsulates load balancing topography, custom domain bindings, identity provider configurations, access control matrices, and authorization database linkage.
| Property | Type | Description |
|---|---|---|
| description | string | This description is optional but will drastically improve the understand of the AI assistant about the structural elements of the organization |
| region | string | The primary GCP region for all assets created by this manifest. If this value is not specified, it will be inherited from the parent Project, Environment, or Organization manifest. The final, resolved region will be shown in the 'computed.region' field. |
| domain | string | A custom, user-owned domain for this ingress. If provided, this will be used as the base for the 'computed.domain' value instead of the system-generated default. Important: The platform will configure a managed DNS zone for this domain and all necessary records. However, for the domain to resolve correctly, you MUST manually update the NS (Name Server) records at your own DNS provider/registrar to point to the designated name servers of the created zone. This value is used as the base for hostnames in HTTP and gRPC routes, and results in the creation of a managed DNS zone. |
| identityProviderApplication | IdentityProviderConfig | Configuration for the Identity Provider (IDP) that will be used to secure access to this ingress. If omitted, default configuration will be used. |
| iapPermissions | DetailedAccessPermissions | Defines the users and groups who are allowed to access applications behind this ingress when IAP (Identity-Aware Proxy) is enabled. Translates into identity-aware access bindings for the backend service that has IAP enabled. |
| authorizationDatabase | string | The name of the 'Database' manifest within the same project to use for storing fine-grained authorization policies. Setting this value enables the authorization service and triggers the creation of two additional Cloud Run services: 1. Authorization Extension ('-authz-ext'): A read-only gRPC service that acts as the external authorizer for the ingress, checking incoming requests against the policies in the database. 2. Authorization Service ('-authz-svc'): A read-write service based on Ory Keto that allows other applications within the project to manage authorization policies in the database. It also runs a one-time migration job to set up the database schema. |
| config | Config | Advanced configuration for the ingress gateway's behavior. |
Config
| Property | Type | Description |
|---|---|---|
| timeoutSec | int64 | The overall request timeout in seconds for the backend service. |
| connectionDrainingTimeoutSec | int64 | The time, in seconds, to wait for connections to drain before shutting down a backend instance. Dictates the connection draining timeout for the backend service resources associated with this ingress. |
| customRequestHeaders | list of string | A list of custom headers to add to requests forwarded to backends. |
| customResponseHeaders | list of string | A list of custom headers to add to responses sent to clients. |
| loadBalancing | LoadBalancing | Defines the load balancing policy for the gateway's backend services. |
LoadBalancing
| Property | Type | Description |
|---|---|---|
| balancingMode | string | The load balancing algorithm to use. Sets the load balancing algorithm constraint on the associated backend services. |
| capacityScaler | double | A value between 0.0 and 1.0 that scales the capacity of the backend service. Sets the capacity scaler metric on the associated backend services. |
| description | string | A description for the load balancing policy. |
| maxConnections | int64 | The maximum number of connections per instance. Enforces the maximum concurrent connections limit on the associated backend services. |
| maxRate | int64 | The maximum requests per second per instance. Enforces the request rate limit on the associated backend services. |
| maxUtilization | double | The maximum CPU utilization of an instance. Enforces the target CPU utilization threshold on the associated backend services. |
DetailedAccessPermissions
Aggregation of specific user and group access definitions.
Refers to lists of OrganizationUser and OrganizationUserGroup manifests that will be parsed to retrieve actual Google Workspace identity emails for IAM binding construction.
| Property | Type | Description |
|---|---|---|
| members | list of string | A list of 'OrganizationUser' manifest names to be included in this permission set. |
| groups | list of string | A list of 'OrganizationUserGroup' manifest names to be included in this permission set. |
IdentityProviderConfig
Configures how a tenant uses an identity provider's container.
Points to a pre-defined source image and configuration layout representing a specific Identity Provider solution (like Keycloak), driving its deployment within the boundary of an IAP configuration.
| Property | Type | Description |
|---|---|---|
| source | string | The name of the 'BuildDefinition' manifest that defines the source of the container image for this application. |
| container | string | The specific container definition to use from the source 'BuildDefinition' manifest. This is required when the source defines multiple containers. |
| version | string | The version (tag) of the container image to deploy. |
| spec | ContainerSpec | The container specification for the container image. |
ComputedAuthorizationAccess
The full map of hostnames to authorization paths.
Acts as the primary in-memory index for the authz extensions running alongside the load balancers.
| Property | Type | Description |
|---|---|---|
| rules | list of RulesEntry | This is a map where the key is a hostname and the value is the set of authorization rules for that host, aggregated from all relevant child 'HttpRoute' and 'GrpcRoute' manifests. |
ComputedLoadBalancerHost
Represents a fully compiled set of paths mapped to a Load Balancer Host.
Translates down to the hostRules within a google_compute_url_map.
| Property | Type | Description |
|---|---|---|
| iapPaths | list of ComputedLoadBalancerPath | |
| gcipPaths | list of ComputedLoadBalancerPath | |
| unauthPaths | list of ComputedLoadBalancerPath | |
| bucketPaths | list of ComputedLoadBalancerPath |
ContainerSpec
Core configuration block for defining a runtime container.
Overrides default container behavior from the base image, defining entrypoints, variables, and compute constraints. Translates directly to elements like resources and env within google_cloud_run_v2_service or Kubernetes specifications.
| Property | Type | Description |
|---|---|---|
| enabled | bool | |
| command | list of string | |
| args | list of string | |
| env | list of EnvVariableDefinition | |
| uid | string | |
| gid | string | |
| resources | ContainerResources |
RulesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedAuthorizationAccessRules |
ComputedLoadBalancerPath
Represents a fully compiled routing path inside a Load Balancer.
Translates down to individual URL Map path matchers within a google_compute_url_map.
| Property | Type | Description |
|---|---|---|
| matchers | list of HttpRouteRuleMatch | |
| tenant | string | Only used for IDENTITY_PROVIDER |
| hostRewrite | string | |
| pathRewrite | string | |
| bucket | string | Used for static buckets |
| complexity | int64 |
ContainerResources
Defines compute requirements and constraints for a container.
Maps to the resource requests and limits in Kubernetes Pods or Cloud Run service configurations to ensure adequate scaling and scheduling semantics.
| Property | Type | Description |
|---|---|---|
| requests | ContainerResource | |
| limits | ContainerResource |
EnvVariableDefinition
Defines a static environment variable to be injected.
Appended to the environment variable array of the corresponding compute resource container definition.
| Property | Type | Description |
|---|---|---|
| name | string | |
| value | string |
ComputedAuthorizationAccessRules
Aggregation of authz rules for a specific host.
Pre-calculated list to quickly look up all applicable authorization predicates for incoming traffic bounds.
| Property | Type | Description |
|---|---|---|
| rules | list of ComputedAuthorizationAccessRule | This is a list of authorization rules, aggregated from all child 'HttpRoute' and 'GrpcRoute' manifests for a given host. |
HttpRouteRuleMatch
Comprehensive matching criteria for an HTTP request.
Forms the crucial conditional backbone of a network services route, steering traffic based on path, headers, or query contents.
| Property | Type | Description |
|---|---|---|
| ignoreCase | bool | |
| fullPathMatch | string | |
| prefixMatch | string | |
| regexMatch | string | |
| headers | list of HttpRouteRuleMatchHeader | |
| queryParameters | list of QueryParameterMatch |
ContainerResource
Single resource boundary definition.
Translates to either requests or limits for CPU or memory within a container specification.
| Property | Type | Description |
|---|---|---|
| cpu | string | |
| memory | string |
HttpRouteRuleMatchHeader
Defines a condition to match against HTTP headers.
Creates the evaluating rule within a routeMatch.headers block inside a GCP HttpRoute, aiding in granular traffic splitting.
| Property | Type | Description |
|---|---|---|
| header | string | |
| invertMatch | bool | |
| exactMatch | string | |
| regexMatch | string | |
| prefixMatch | string | |
| presentMatch | bool | |
| suffixMatch | string | |
| rangeMatch | RangeMatch |
QueryParameterMatch
Defines a condition to match against HTTP query parameters.
Populates the routeMatch.queryParameters block within a GCP HttpRoute resource.
| Property | Type | Description |
|---|---|---|
| queryParameter | string | |
| exactMatch | string | |
| regexMatch | string | |
| presentMatch | string |
ComputedAuthorizationAccessRule
Single computed authorization rule.
Part of the compiled configuration supplied to authz extension services to resolve user scopes dynamically.
| Property | Type | Description |
|---|---|---|
| identitySource | string | This value is a direct reflection of 'spec.authorization.identitySource' from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| matches | list of HttpRouteRuleMatch | This list is a direct reflection of the 'spec.matches' block from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| checks | list of ComputedAuthorizationAccessRuleCheck | This list is a direct reflection of the 'spec.authorization.checks' block from a child 'HttpRoute' or 'GrpcRoute' manifest. |
RangeMatch
Tests a header value against an integer scale.
Adds a numeric rangeMatch parameter to a header matching rule in the underlying network service map.
| Property | Type | Description |
|---|---|---|
| start | int64 | |
| end | int64 |
ComputedAuthorizationAccessRuleCheck
Represents a computed access check for a route rule.
Maps an expected identity tuple (namespace, relation, object) that the AuthZ extension must validate during the request flow.
| Property | Type | Description |
|---|---|---|
| namespace | string | This value is a direct reflection of 'spec.authorization.namespace' from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| relation | string | This value is a direct reflection of 'spec.authorization.relation' from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| object | string | This value is a direct reflection of 'spec.authorization.object' from a child 'HttpRoute' or 'GrpcRoute' manifest. |