Skip to main content

FormalResource

Registers an in-cluster service as a Formal resource.
apiVersion: joinformal.com/v1
kind: FormalResource
metadata:
  name: orders-database
spec:
  technology: postgres
  hostname: postgres.default.svc.cluster.local
  port: 5432

Spec

FieldTypeRequiredDescription
technologystringYesProtocol type (postgres, mysql, mongodb, http, etc.)
hostnamestringYesIn-cluster hostname of the backend service
portintYesPort of the backend service
spaceIdstringNoID of the Space to assign the resource to
tlsobjectNoTLS configuration for the backend connection

TLS Configuration

spec:
  tls:
    mode: verify-full
    minVersion: "TLSv1.2"
    caSecretRef:
      name: my-ca-secret
      key: ca.crt
FieldTypeRequiredDescription
tls.modestringNodisable, verify-ca, or verify-full (default)
tls.minVersionstringNoMinimum TLS version (e.g., TLSv1.2)
tls.caSecretRef.namestringNoKubernetes Secret containing the CA certificate
tls.caSecretRef.keystringNoKey within the Secret

FormalListener

Creates a listener on an existing Formal connector with routing rules.
apiVersion: joinformal.com/v1
kind: FormalListener
metadata:
  name: postgres
spec:
  connectorId: connector_abc123
  name: postgres
  port: 5432
  rules:
    - type: technology
      technology: postgres

Spec

FieldTypeRequiredDescription
connectorIdstringYesID of the Formal connector
namestringYesDisplay name of the listener
portintYesPort the listener binds to on the connector
ruleslistNoRouting rules for the listener

Rules

Each rule routes traffic to one or more resources:
FieldTypeRequiredDescription
typestringYesresource or technology
resourceRefstringNoName of a FormalResource in the same namespace (for resource rules)
technologystringNoTechnology name (for technology rules)
When using resource rules, the operator resolves the resourceRef to the Formal resource ID automatically.
The connector itself is not managed by the operator. Create the connector via Terraform or the web console, then reference its ID in FormalListener resources.

FormalNativeUser

Creates a native user on a Formal resource, with credentials sourced from a Kubernetes Secret.
apiVersion: joinformal.com/v1
kind: FormalNativeUser
metadata:
  name: orders-database-default
spec:
  resourceRef: orders-database
  type: basic
  useAsDefault: true
  secretRef:
    name: postgres-credentials
    keys:
      username: username
      password: password

Spec

FieldTypeRequiredDescription
resourceRefstringYesName of a FormalResource in the same namespace
typestringYesSee supported types below
useAsDefaultboolNoWhether this is the default native user for the resource
The operator watches referenced Secrets. When a Secret is updated, the operator automatically propagates the new credentials to Formal.

Supported Types

basic

Username and password credentials, sourced from a Kubernetes Secret.
FieldTypeRequiredDescription
secretRef.namestringYesName of the Kubernetes Secret
secretRef.keys.usernamestringYesKey in the Secret containing the username
secretRef.keys.passwordstringYesKey in the Secret containing the password

iam

Cloud IAM authentication.
FieldTypeRequiredDescription
iam.cloudProviderstringYesCloud provider (aws or gcp)
iam.usernamestringYesIAM username for authentication
iam.rolestringNoIAM role ARN or identifier (if omitted, uses the environment’s ambient IAM credentials)

kubernetes

Kubernetes authentication via kubeconfig.
FieldTypeRequiredDescription
kubernetes.kubeconfigEnvstringYesEnvironment variable name containing kubeconfig

ssh_key

SSH key authentication, with the private key sourced from a Kubernetes Secret.
FieldTypeRequiredDescription
sshKey.usernamestringYesSSH username
sshKey.secretRef.namestringYesSecret containing the private key
sshKey.secretRef.keystringYesKey within the Secret

snowflake_key

Snowflake key-pair authentication, with the private key sourced from a Kubernetes Secret.
FieldTypeRequiredDescription
snowflakeKey.usernamestringYesSnowflake username
snowflakeKey.secretRef.namestringYesSecret containing the private key
snowflakeKey.secretRef.keystringYesKey within the Secret

http_basic

HTTP Basic authentication, with credentials sourced from a Kubernetes Secret.
FieldTypeRequiredDescription
httpBasic.headerstringYesHTTP header name (e.g., Authorization)
httpBasic.secretRef.namestringYesName of the Kubernetes Secret
httpBasic.secretRef.keys.usernamestringYesKey in the Secret containing the username
httpBasic.secretRef.keys.passwordstringYesKey in the Secret containing the password

http_bearer

HTTP Bearer token authentication, with the token sourced from a Kubernetes Secret.
FieldTypeRequiredDescription
httpBearer.headerstringYesHTTP header name (e.g., Authorization)
httpBearer.secretRef.namestringYesSecret containing the token
httpBearer.secretRef.keystringYesKey within the Secret

http_api_key

HTTP API key authentication, with the value sourced from a Kubernetes Secret.
FieldTypeRequiredDescription
httpApiKey.locationstringYesheader or query_parameter
httpApiKey.keystringYesHeader or query parameter name
httpApiKey.secretRef.namestringYesSecret containing the API key value
httpApiKey.secretRef.keystringYesKey within the Secret