The Shipa Developer Hub

Welcome to the Shipa developer hub. You'll find comprehensive guides and documentation to help you start working with Shipa as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    Changelog

Framework Management

By leveraging Shipa, you can quickly provision frameworks that automatically enforce governance policies when deploying applications.

apiVersion: shipa.crossplane.io/v1alpha1
kind: Framework
metadata:
  name: cp-dev
spec:
  forProvider:
    shipaFramework: cp-dev
    resources:
      general:
        setup:
          provisioner: kubernetes
        router: traefik
        appQuota:
          limit: "4"
        plan:
          name: "plan name"
        security:
          disableScan: true
          scanPlatformLayers: false
          ignoreComponents: ["apt", "bash", "..."]
          ignoreCves: ["CVE-2020-27350", "CVE-2011-3374", "..."]
        networkPolicy:
          ingress:
            policy_mode: allow-custom-rules-only
              custom_rules:
                id: rule-name
                description: "networking rule"
                enabled: true
                allowed_apps: ["app1", "app2", "app3", "appX"]
                allowed_frameworks: ["fw1", "fw2]
                ports:
                   port: 8080
                   protocol: TCP
                   port: 8081
                   protocol: TCP
          egress:
            policy_mode: allow-all
          disableAppPolicies: false
        containerPolicy:
          allowedHosts: ["docker.io/shipasoftware", "docker.io/shiparepo"]

Top-Level Attributes

Component

Type

Definition

apiVersion

string

the version of the API.

kind

string

the kind of custom resource that will be created by Shipa.

Framework is the kind used by Shipa for creating applications.

metadata

the name of the custom resource that will be created by Shipa.

spec

the specification that will be used by Shipa when creating the framework.

Metadata

Component

Type

Description

name

string

the name of the custom resource that will be created by Shipa.

Specification

Component path: spec > forProvider

Component

Type

Description

shipaFramework

string

the name of the framework that should be created by Shipa.

Required: Yes

resources

the general settings that should be used by Shipa when creating the framework.

Required: Yes

General

Component path: spec > forProvider > resources > general

Component

Type

Description

setup

defines the provisioner that should be used by the framework when deploying applications

Required: Yes

router

string

the router that should be assigned to the framework so an endpoint can automatically be created for the applications deployed through this framework.

If not specified, Shipa will default to Traefik and automatically configure the Traefik as the ingress.

Required: No
Options: istio or traefik

appQuota

defines limits on how much an application can scale in number of containers.

Required: No

plan

the name of the resource plan that should be used by this framework when applications are deployed through it.

Required: No

security

defines the level of security scan that will be automatically run on every application deployed through this framework.

Required: No

networkPolicy

defines default network policies that will be assigned to every application deployed through this framework.

Required: No

containerPolicy

limits which container registries can be used when deploying applications to this framework.

Required: No

Setup

Component path: spec > forProvider > resources > general > setup

Component

Type

Definition

provisioner

string

the provisioner that should be used by this framework when deploying applications

Options:

  • shipa
  • kubernetes

Required: Yes

Application Quota

Component path: spec > forProvider > resources > general > appQuota

Component

Type

Description

limit

int

Defines limits on how much an application can scale in number of containers.

If not specified, Shipa will assign unlimited.

Required: No

Resource Plan

Component path: spec > forProvider > resources > general > plan

Component

Type

Description

name

string

the name of the resource plan that should be used by this framework when applications are deployed through it.

If not specified, Shipa will use an existing plan that is exposed as default.

Required: No

Security

Component path: spec > forProvider > resources > general > security

Component

Type

Description

disableScan

bool

if application scanning should be disabled when applications are deployed using the framework.

By default, unless changed, it will be enabled when creating the framework.

Required: No

scan_platform_layers

bool

If application image scan should be disabled when applications are deployed using the framework.

By default, unless changed, it will be enabled when creating the framework.

Required: No

ignoreComponents

string

By default, if security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed to through this framework.

If there are specific components that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No

ignoreCves

string

By default, if security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed to the framework.

If there are specific CVES that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No

Network Policy

Component path: spec > forProvider > resources > general > networkPolicy

Component

Type

Description

ingress

ingress definition that will be accepted by applications deployed using the framework.

if not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed through the framework.

Required: No

policy_mode

string

the policy mode that should be applied to applications deployed through the framework.

Current options from this provider are:

  • allow-all
  • deny-all
  • allow-custom-rules-only

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

custom_rules

if policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed through the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

id

string

the name of the custom rule.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

enabled

bool

if the custom rule is enabled by default or not when applications are deployed through the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

description

string

The description of the custom rule being enforced by the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

allowed_apps

string

the specific applications that applications deployed through the framework can receive ingress or ingress from.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

allowed_frameworks

string

allow traffic from applications deployed through this, or list of, frameworks.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

ports

port configuration where applications deployed through the framework can accept ingress or egress.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

port

int

The specific port (or list of ports) where applications deployed through the framework can accept ingress or egress.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

protocol

string

The specific protocol where applications deployed through the framework can accept ingress or egress.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

egress

egress definition that will be accepted by applications deployed using the framework.

if not defined, Shipa will automatically assign an allow-all egress policy for applications deployed through the framework.

Required: No

disable_app_policies

bool

defines if application owners can change ingress and/or egress rules at the application-level post-deployment.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

📘

Detailed network policies

Shipa enables you to define more granular network policies through its dashboard. If rules are overly complex, we recommend using the dashboard to define a sample framework and network policy.

Exporting the framework configuration, giving you your detailed network policy configuration in a file.

Container Policy

Component path: spec > forProvider > resources > general > containerPolicy

Component

Type

Description

allowedHosts

string

the container registry (or list of) developers can use when deploying their applications through the framework.

if not specified, developers will be able to deploy images from any container registry

Required: No

Updated 3 months ago


Framework Management


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.