Skip to main content
Version: v2.0

API Reference

Packages

formance.com/v1beta1

Package v1beta1 contains API Schema definitions for the formance v1beta1 API group.

It allow to configure a Formance stack.

A stack is composed of a Stack resource and some modules.

Each module can create multiple resources following its needs. See Other resources.

Various parts of the stack can be configured either using the CRD properties or using some Settings.

Modules :

Other resources :

Main resources

Stack

Stack represents a formance stack. A Stack is basically a container. It holds some global properties and creates a namespace if not already existing.

To do more, you need to create some modules.

The Stack resource allow to specify the version of the stack.

It can be specified using either the field .spec.version or the .spec.versionsFromFile field (Refer to the documentation of Versions resource.

The version field will have priority over versionFromFile.

If versions and versionsFromFile are not specified, "latest" will be used.

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringStack
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec StackSpec
status StackStatus
StackSpec
FieldDescriptionDefaultValidation
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to specify the version of the components
Must be a valid docker tag
versionsFromFile stringVersionsFromFile allow to specify a formance.com/Versions object which contains individual versions
for each component.
Must reference a valid formance.com/Versions object
enableAudit booleanEnableAudit enable audit at the stack level.
Actually, it enables audit on Gateway		false
disabled booleanDisabled indicate the stack is disabled.
A disabled stack disable everything
It just keeps the namespace and the Database resources.		false
StackStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
modules string arrayModules register detected modules

Settings

Settings represents a configurable piece of the stacks.

The purpose of this resource is to be able to configure some common settings between a set of stacks.

Example :

apiVersion: formance.com/v1beta1
kind: Settings
metadata:
  name: postgres-uri
spec:
  key: postgres.ledger.uri
  stacks:
  - stack0
  value: postgresql://postgresql.formance.svc.cluster.local:5432

This example create a setting named postgres-uri targeting the stack named stack0 and the service ledger (see the key postgres.ledger.uri).

Therefore, a Database created for the stack stack0 and the service named 'ledger' will use the uri postgresql://postgresql.formance.svc.cluster.local:5432.

Settings allow to use wildcards in keys and in stacks list.

For example, if you want to use the same database server for all the modules of a specific stack, you can write :

apiVersion: formance.com/v1beta1
kind: Settings
metadata:
  name: postgres-uri
spec:
  key: postgres.*.uri # There, we use a wildcard to indicate we want to use that setting of all services of the stack `stack0`
  stacks:
  - stack0
  value: postgresql://postgresql.formance.svc.cluster.local:5432

Also, we could use that setting for all of our stacks using :

apiVersion: formance.com/v1beta1
kind: Settings
metadata:
  name: postgres-uri
spec:
  key: postgres.*.uri # There, we use a wildcard to indicate we want to use that setting for all services of all stacks
  stacks:
  - * # There we select all the stacks
  value: postgresql://postgresql.formance.svc.cluster.local:5432

Some settings are really global, while some are used by specific module.

Refer to the documentation of each module and resource to discover available Settings.

Global settings
AWS account

A stack can use an AWS account for authentication.

It can be used to connect to any AWS service we could use.

It includes RDS, OpenSearch and MSK. To do so, you can create the following setting:

apiVersion: formance.com/v1beta1
kind: Settings
metadata:
  name: aws-service-account
spec:
  key: aws.service-account
  stacks:
  - '*'
  value: aws-access

This setting instruct the operator than there is somewhere on the cluster a service account named aws-access.

So, each time a service has the capability to use AWS, the operator will use this service account.

The service account could look like that :

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::************:role/staging-eu-west-1-hosting-stack-access
  labels:
    formance.com/stack: any
  name: aws-access

You can note two things :

  1. We have an annotation indicating the role arn used to connect to AWS. Refer to the AWS documentation to create this role
  2. We have a label formance.com/stack=any indicating we are targeting all stacks. Refer to the documentation of ResourceReference for further information.
JSON logging

You can use the setting logging.json with the value true to configure elligible service to log as json. Example:

apiVersion: formance.com/v1beta1
kind: Settings
metadata:
  name: json-logging
spec:
  key: logging.json
  stacks:
  - '*'
  value: "true"
FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringSettings
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec SettingsSpec
SettingsSpec
FieldDescriptionDefaultValidation
stacks string arrayStacks on which the setting is applied. Can contain * to indicate a wildcard.
key stringThe setting Key. See the documentation of each module or global settings to discover them.
value stringThe value. It must have a specific format following the Key.

Modules

Auth

Auth represent the authentication module of a stack.

It is an OIDC compliant server.

Creating it for a stack automatically add authentication on all supported modules.

The auth service is basically a proxy to another OIDC compliant server.

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringAuth
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec AuthSpec
status AuthStatus
AuthSpec
FieldDescriptionDefaultValidation
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
stack stringStack indicates the stack on which the module is installed
delegatedOIDCServer DelegatedOIDCServerConfigurationContains information about a delegated authentication server to use to delegate authentication
signingKey stringAllow to override the default signing key used to sign JWT tokens.
signingKeyFromSecret SecretKeySelectorAllow to override the default signing key used to sign JWT tokens using a k8s secret
enableScopes booleanAllow to enable scopes usage on authentication.

If not enabled, each service will check the authentication but will not restrict access following scopes.
in this case, if authenticated, it is ok.		false
DelegatedOIDCServerConfiguration
FieldDescriptionDefaultValidation
issuer stringIssuer is the url of the delegated oidc server
clientID stringClientID is the client id to use for authentication
clientSecret stringClientSecret is the client secret to use for authentication
AuthStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
clients string arrayClients contains the list of clients created using AuthClient

Gateway

Gateway is the Schema for the gateways API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringGateway
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec GatewaySpec
status GatewayStatus
GatewaySpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
ingress GatewayIngressAllow to customize the generated ingress
GatewayIngress
FieldDescriptionDefaultValidation
host stringIndicates the hostname on which the stack will be served.
Example : formance.example.com
scheme stringIndicate the scheme.

Actually, It should be https unless you know what you are doing.		https
annotations object (keys:string, values:string)Custom annotations to add on the ingress
tls GatewayIngressTLSAllow to customize the tls part of the ingress
GatewayIngressTLS
FieldDescriptionDefaultValidation
secretName stringSpecify the secret name used for the tls configuration on the ingress
GatewayStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
syncHTTPAPIs string arrayDetected http apis. See GatewayHTTPAPI
authEnabled booleanIndicates if a Auth module has been detected.false

Ledger

Ledger is the module allowing to install a ledger instance.

The ledger is actually a stateful application on the writer part. So we cannot scale the ledger as we want without prior configuration.

So, the ledger can run in two modes :

  • single instance: Only one instance will be deployed. We cannot scale in that mode.
  • single writer / multiple reader: In this mode, we will have a single writer and multiple readers if needed.

Use setting ledger.deployment-strategy with either the value :

  • single : For the single instance mode.
  • single-writer: For the single writer / multiple reader mode. Under the hood, the operator create two deployments and force the scaling of the writer to stay at 1. Then you can scale the deployment of the reader to the value you want.
FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringLedger
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec LedgerSpec
status LedgerStatus
LedgerSpec
FieldDescriptionDefaultValidation
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
stack stringStack indicates the stack on which the module is installed
deploymentStrategy DeploymentStrategyDeprecated.single
locking LockingStrategyLocking is intended for ledger v1 only
DeploymentStrategy

Underlying type: string

LockingStrategy
FieldDescriptionDefaultValidation
strategy stringmemory
redis LockingStrategyRedisConfig
LockingStrategyRedisConfig
FieldDescriptionDefaultValidation
uri string
tls booleanfalse
insecure booleanfalse
duration string
retry string
LedgerStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Orchestration

Orchestration is the Schema for the orchestrations API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringOrchestration
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec OrchestrationSpec
status OrchestrationStatus
OrchestrationSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
OrchestrationStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
temporalURI stringType: string

Payments

Payments is the Schema for the payments API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringPayments
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec PaymentsSpec
status PaymentsStatus
PaymentsSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
encryptionKey string
PaymentsStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Reconciliation

Reconciliation is the Schema for the reconciliations API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringReconciliation
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec ReconciliationSpec
status ReconciliationStatus
ReconciliationSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
ReconciliationStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Search is the Schema for the searches API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringSearch
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec SearchSpec
status SearchStatus
SearchSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
batching Batching
Batching

Batching allow to define custom batching configuration

FieldDescriptionDefaultValidation
count integerCount indicates the number of messages that can be kept in memory before being flushed to ElasticSearch
period stringPeriod indicates the maximum duration messages can be kept in memory before being flushed to ElasticSearch
SearchStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
elasticSearchURI stringType: string
topicCleaned booleanTopicCleaned is used to flag stacks where the topics have been cleaned (still search-ledgerv2 and co consumers)false

Stargate

Stargate is the Schema for the stargates API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringStargate
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec StargateSpec
status StargateStatus
StargateSpec
FieldDescriptionDefaultValidation
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
stack stringStack indicates the stack on which the module is installed
serverURL string
organizationID string
stackID string
auth StargateAuthSpec
StargateAuthSpec
FieldDescriptionDefaultValidation
clientID string
clientSecret string
issuer string
StargateStatus

StargateStatus defines the observed state of Stargate

FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Wallets

Wallets is the Schema for the wallets API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringWallets
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec WalletsSpec
status WalletsStatus
WalletsSpec
FieldDescriptionDefaultValidation
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
stack stringStack indicates the stack on which the module is installed
WalletsStatus

WalletsStatus defines the observed state of Wallets

FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Webhooks

Webhooks is the Schema for the webhooks API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringWebhooks
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec WebhooksSpec
status WebhooksStatus
WebhooksSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
version stringVersion allow to override global version defined at stack level for a specific module
WebhooksStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Other resources

AuthClient

AuthClient allow to create OAuth2/OIDC clients on the auth server (see Auth)

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringAuthClient
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec AuthClientSpec
status AuthClientStatus
AuthClientSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
id stringID indicates the client id
It must be used with oauth2 client_id parameter
public booleanPublic indicate whether a client is confidential or not.
Confidential clients are clients which the secret can be kept secret...
As opposed to public clients which cannot have a secret (application single page for example)		false
description stringDescription represents an optional description of the client
redirectUris string arrayRedirectUris allow to list allowed redirect uris for the client
postLogoutRedirectUris string arrayRedirectUris allow to list allowed post logout redirect uris for the client
scopes string arrayScopes allow to five some scope to the client
secret stringSecret allow to configure a secret for the client.
It is not required as some client could use some oauth2 flows which does not requires a client secret
AuthClientStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Benthos

Benthos is the Schema for the benthos API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringBenthos
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec BenthosSpec
status BenthosStatus
BenthosSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
debug booleanAllow to enable debug mode on the modulefalse
dev booleanAllow to enable dev mode on the module
Dev mode is used to allow some application to do custom setup in development mode (allow insecure certificates for example)		false
resourceRequirements ResourceRequirements
batching Batching
initContainers Container array
Batching

Batching allow to define custom batching configuration

FieldDescriptionDefaultValidation
count integerCount indicates the number of messages that can be kept in memory before being flushed to ElasticSearch
period stringPeriod indicates the maximum duration messages can be kept in memory before being flushed to ElasticSearch
BenthosStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
elasticSearchURI stringType: string

BenthosStream

BenthosStream is the Schema for the benthosstreams API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringBenthosStream
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec BenthosStreamSpec
status BenthosStreamStatus
BenthosStreamSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
data string
name string
BenthosStreamStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Broker

Broker is the Schema for the brokers API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringBroker
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec BrokerSpec
status BrokerStatus
BrokerSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
BrokerStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
uri stringType: string
mode ModeMode indicating the configuration of the nats streams
Two modes are defined :
* OneStreamByService: In this case, each service will have a dedicated stream created
* OneStreamByStack: In this case, a stream will be created for the stack and each service will use a specific subject inside this stream		Enum: [OneStreamByService OneStreamByStack]
streams string arrayStreams list streams created when Mode == ModeOneStreamByService
Mode

Underlying type: string

Mode defined how streams are created on the broker (mainly nats)

BrokerConsumer

BrokerConsumer is the Schema for the brokerconsumers API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringBrokerConsumer
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec BrokerConsumerSpec
status BrokerConsumerStatus
BrokerConsumerSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
services string array
queriedBy string
name stringAs the name is optional, if not provided, the name will be the QueriedBy property
This is only applied when using one stream by stack see Mode
BrokerConsumerStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

BrokerTopic

BrokerTopic is the Schema for the brokertopics API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringBrokerTopic
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec BrokerTopicSpec
status BrokerTopicStatus
BrokerTopicSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
service string
BrokerTopicStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors

Database

Database represent a concrete database on a PostgreSQL server, it is created by modules requiring a database (Ledger for example).

It uses the settings postgres.<module-name>.uri which must have the following uri format: postgresql://[<username>@<password>]@<host>/<db-name> Additionally, the uri can define a query param secret indicating a k8s secret, than must be used to retrieve database credentials.

On creation, the reconciler behind the Database object will create the database on the postgresql server using a k8s job. On Deletion, by default, the reconciler will let the database untouched. You can allow the reconciler to drop the database on the server by using the Settings clear-database with the value true. If you use that setting, the reconciler will use another job to drop the database. Be careful, no backup are performed!

Database resource honors aws.service-account setting, so, you can create databases on an AWS server if you need. See AWS accounts

Once a database is fully configured, it retains the postgres uri used. If the setting indicating the server uri changed, the Database object will set the field .status.outOfSync to true and will not change anything.

Therefore, to switch to a new server, you must change the setting value, then drop the Database object. It will be recreated with correct uri.

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringDatabase
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec DatabaseSpec
status DatabaseStatus
DatabaseSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
service stringService is a discriminator for the created database.
Actually, it will be the module name (ledger, payments...).
Therefore, the created database will be named <stack-name><service>
debug booleanfalse
DatabaseStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
uri stringType: string
database stringThe generated database name
outOfSync booleanOutOfSync indicates than a settings changed the uri of the postgres server
The Database object need to be removed to be recreated

GatewayHTTPAPI

GatewayHTTPAPI is the Schema for the HTTPAPIs API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringGatewayHTTPAPI
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec GatewayHTTPAPISpec
status GatewayHTTPAPIStatus
GatewayHTTPAPISpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
name stringName indicates prefix api
rules GatewayHTTPAPIRule arrayRules
healthCheckEndpoint stringHealth check endpoint
GatewayHTTPAPIRule
FieldDescriptionDefaultValidation
path string
methods string array
secured booleanfalse
GatewayHTTPAPIStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
ready boolean

ResourceReference

ResourceReference is a special resources used to refer to externally created resources.

It includes k8s service accounts and secrets.

Why? Because the operator create a namespace by stack, so, a stack does not have access to secrets and service accounts created externally.

A ResourceReference is created by other resource who need to use a specific secret or service account. For example, if you want to use a secret for your database connection (see Database, you will create a setting indicating a secret name. You will need to create this secret yourself, and you will put this secret inside the namespace you want (default maybe).

The Database reconciler will create a ResourceReference looking like that :

apiVersion: formance.com/v1beta1
kind: ResourceReference
metadata:
  name: jqkuffjxcezj-qlii-auth-postgres
  ownerReferences:
  - apiVersion: formance.com/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: Database
    name: jqkuffjxcezj-qlii-auth
    uid: 2cc4b788-3ffb-4e3d-8a30-07ed3941c8d2
spec:
  gvk:
    group: ""
    kind: Secret
    version: v1
  name: postgres
  stack: jqkuffjxcezj-qlii
status:
  ...

This reconciler behind this ResourceReference will search, in all namespaces, for a secret named "postgres". The secret must have a label formance.com/stack with the value matching either a specific stack or any to target any stack.

Once the reconciler has found the secret, it will copy it inside the stack namespace, allowing the ResourceReconciler owner to use it.

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringResourceReference
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec ResourceReferenceSpec
status ResourceReferenceStatus
ResourceReferenceSpec
FieldDescriptionDefaultValidation
stack stringStack indicates the stack on which the module is installed
gvk GroupVersionKind
name string
ResourceReferenceStatus
FieldDescriptionDefaultValidation
ready booleanReady indicates if the resource is seen as completely reconciled
info stringInfo can contain any additional like reconciliation errors
syncedResource string
hash string

Versions

Versions is the Schema for the versions API

FieldDescriptionDefaultValidation
apiVersion stringformance.com/v1beta1
kind stringVersions
metadata ObjectMetaRefer to Kubernetes API documentation for fields of metadata.
spec object (keys:string, values:string)