ConnectorClass
TOC
Overview
ConnectorClass is a cluster-level resource that defines the access modes and behavior specifications for specific types of tools.
The following example defines a hello-git type connector that supports basic authentication:
In the ConnectorClass, the access modes and behavior specifications for connecting tools to the platform are defined by describing the following information:
- The format of the tool's access address
- Supported authentication methods
- How to check the tool's accessibility
- How to verify the validity of authentication
- How the tool provides API capabilities
- What configuration capabilities the tool offers
- Metadata for readability display
This document also provides examples to help readers better understand how to customize ConnectorClass. Examples
Address Information
Address information defines the format for accessing the tool. Currently, string-type address configurations are supported. This address information restricts the field type constraints that the current type of tool must meet.
At this point, it indicates that the address information for connecting the tool to the platform must be of string type.
Parameters
Parameters are used to defines additional parameters when creating a connector.
You can define required parameters for connector creation using the connectorclass spec.params field.
spec.params[].name- Parameter name.spec.params[].type- Parameter type. Currently only supportsstringtype.spec.params[].default- Default parameter value (optional). When a default value is provided, users can omit this parameter when creating a connector.spec.params[].description- Parameter description (optional).
For example, the following definition allows users to provide an sslVerify parameter when creating a git-type connector, with a default value of true.
For parameter configuration when creating Connectors, refer to the Connector documentation.
Combined with connectors-csi-driver capabilities, this enables more flexible configuration. This is particularly useful when you need to provide parameterized configurations. For example, when creating a git-type connector, users can provide the sslVerify parameter to control SSL certificate verification. For more details, refer to the ConnectorClass Configuration documentation.
Authentication Information
Authentication Type
The authentication type defines the type of credentials used for tool authentication. A tool can support multiple authentication types, allowing users to choose one when using the tool.
Users can uniquely name the current authentication type via
spec.auth.types[].name, which must be unique and cannot be repeated.spec.auth.types[].secretType, which specifies the type ofSecretneeded for authentication, corresponding to a Kubernetes Secret Type.
Example:
In the built-in K8S Secret Type, all types except Opaque have field constraints. When providing a Secret, the user must ensure that the Secret's fields match the type constraints.
When using the Opaque type, you must declare authentication parameters.
Like k8s, you can also use your own Secret Type. At this point, you must declare authentication parameters.
Authentication Parameters
Parameters required for credentials during authentication are defined by spec.auth.types[].params.
For standard Kubernetes secret types with clearly defined data fields, parameters can be omitted. For example:
kubernetes.io/basic-auth: username and password authenticationkubernetes.io/ssh-auth: SSH key authentication
For custom authentication types, you can define the required authentication parameters, at this point secretType is marked as Opaque or a custom name.
For example, for GitLab's Personal Access Token (PAT) authentication:
This definition requires that the credentials used in the tool connector include the fields specified in params.
Optional Authentication
Some tools support access without authentication, marked by the optional field indicating whether authentication is optional:
For example, the following indicates that credentials for basicAuth are optional while sshAuth credentials are mandatory.
At this point, when connecting this type of tool to the platform, the basicAuth type of authentication can be omitted.
Liveness Probe
Accessibility checks are used to verify if the tool can be accessed normally. The configuration of how this type is conducted is done through the livenessProbe field.
A liveness check can be performed using either HTTP requests or the ConnectorClass API.
Probe using HTTP Requests
you can configure spec.livenessProbe.http to perform a liveness check using HTTP requests.
Example
the following snippet indicates that detection is performed using HTTP requests.
When the tool returns a 200 status, it is considered accessible.
For more details, refer to Probe using HTTP Requests in Authentication Probe. The configuration is identical, except for the field paths.
Probe using ConnectorClass API
you can configure spec.livenessProbe.api to perform a liveness check using the ConnectorClass API.
Example
the following snippet indicates that detection is performed using the ConnectorClass API.
For more details, refer to Probe using ConnectorClass API in Authentication Probe. The configuration is identical, except for the field paths.
Authentication Probe
Authentication validation is used to verify the validity of authentication credentials for tools of this type. If authentication validation is not required, the authProbes field can be omitted.
spec.authProbes[].authNamespecifies the authentication type being validated and must match one of the names defined inspec.auth.types[].name.
Authentication validation can be performed using either HTTP requests or the ConnectorClass API.
Probe using HTTP Requests
You can configure spec.authProbes[].probe.http to perform authentication validation using HTTP requests.
spec.authProbes[].probe.http.hostspecifies the target host for authentication validation. Defaults to the host from the connector address.spec.authProbes[].probe.http.pathspecifies the request path for authentication validation. This is an absolute path that will be appended to the host URI resolved from the connector'sspec.addresswhen executing the probe. Ifspec.addresscontains a path prefix, the path prefix will be ignored during authentication validation. To include the path prefix, useAuthentication Check Expressionsto dynamically retrieve it.spec.authProbes[].probe.http.methodspecifies the HTTP method for authentication validation, supporting GET and POST. Defaults to GET.spec.authProbes[].probe.http.disableRedirectspecifies whether to disable HTTP redirects during authentication validation. Defaults to false (automatic redirection is allowed).spec.authProbes[].probe.http.httpHeadersspecifies the HTTP headers to include in authentication validation requests.spec.authProbes[].probe.http.schemespecifies the URI scheme for authentication validation. Defaults to the scheme from the connector address.
Example
The following YAML configuration demonstrates that during authentication validation, the system will send a GET https://example.com/ HTTP/1.1 request to the connector address with an Authorization: abc header.
Probe using ConnectorClass API
You can configure spec.authProbes[].probe.api to perform authentication validation using the ConnectorClass API. You must first configure spec.api in the ConnectorClass specification. A 200 response indicates successful authentication, while a 401 or 403 response indicates authentication failure. More about ConnectorClass API.
spec.authProbes[].probe.api.pathspecifies the API endpoint path for authentication validation. This is a relative path that will be appended to the API address resolved from the ConnectorClass'sspec.apiconfiguration. Ifspec.apicontains a path prefix, the path prefix will be included when performing authentication validation.
Example
The following YAML configuration demonstrates that during authentication validation, the system will send a GET https://example-api.default.svc.cluster.local/api/auth/check HTTP/1.1 request to the ConnectorClass API.
Custom Authentication Validation Parameters
Some authentication validation scenarios may require additional parameters, such as specifying the repository name when validating access to a Git repository. These parameters can be defined using spec.authProbes[].params.
Authentication Validation Expressions
When configuring authProbes, expressions can be used to dynamically retrieve credential information or Connector metadata.
For example:
- Expressions can be used in the
probe.http.httpHeaders,probe.http.path, andprobe.api.pathfields. - The expression format follows Go template syntax.
- Supported top-level fields include:
.Connector: Contains information about the Connector resource itself.Secret: Contains the Secret data used for Connector authentication
- Available methods within expressions are documented in the sprig library:
- For example:
b64encfor Base64 encoding strings,trimPrefixfor removing string prefixes
- For example:
Example
Basic Authentication validation:
The connector will perform authentication validation based on the configuration defined in the ConnectorClass.
The above YAML demonstrates basic authentication validation:
path: Uses therepositoryvalue from the Connector'sauth.params, constructing the path as/<repository>/info/refs?service=git-upload-packAuthorization: When the Connector is configured with a Secret, theusernameandpasswordfields are Base64-encoded and included in the Basic authentication header.
Rego-based Authentication Logic Configuration
When tool connectors require more complex authentication logic, you can use Rego-based authentication logic configuration.
Rego is a declarative policy language that allows you to define authentication logic. In ConnectorClass, Rego policies are specified in the auth.types[].generator.rego field:
The Rego policy must follow these rules:
- Define rules under the proxy package
- Produce an auth object with the following structure:
- position: Where to inject authentication, such as "header", "query", or "body"
- contentType: Content type for body injection (optional, used with "body" position)
- auth: Map of authentication key-value pairs
Variables Available in Rego
| Variable | Type | Description |
|---|---|---|
input.data | map[string]string | Secret data used for Connector |
input.request.headers | map[string][]string | Request headers sent to the backend tool |
input.request.body | object | Request body sent to the backend tool |
input.request.query | map[string][]string | Query parameters sent to the backend tool |
input.request.method | string | HTTP method sent to the backend tool |
input.request.path | string | Request path sent to the backend tool |
input.request.host | string | Request host sent to the backend tool |
Example Rego Policies
Basic Authentication
API Key Authentication
JSON Body Authentication
Advanced Rego Techniques
You can use Rego's conditional logic for different authentication methods:
Conditional Authentication
Time-based Authentication
For more Rego language details, refer to:
ConnectorClass API
The ConnectorClass API allows developers to extend API capabilities for a ConnectorClass through an additional HTTP API service. This provides a RESTful API for the ConnectorClass, enabling clients to easily access resources within the tools when using Connectors.
If there is no need to provide custom API capabilities for the tool, spec.api can be left undefined.
Configuring API Address
The ConnectorClass API is configured in the spec.api field. You can specify the API service in three ways:
1. Through a Kubernetes Service reference:
2. Through a Service reference with a URI path prefix:
If the API address has a fixed path prefix, you can specify it using spec.api.uri:
3. Through an absolute URI:
You can also use spec.api.uri to specify the absolute path of the API:
API Address Resolution
Regardless of the configuration method used, the final resolved API address will be stored in status.api.address.url. For example:
For more information, refer to:
OpenAPI Description
The OpenAPI description is an optional configuration that serves two main purposes:
- Mark whether the API is a custom API or uses the Connector Proxy to access the tool's original API
- Provide API definitions to support API references in client dynamic forms
You can define the OpenAPI description using spec.api.openapi. The structure follows the OpenAPI 3.0 specification. For example:
You can define the x-provider-type extension field in the API paths to mark whether the API is a custom API or uses the Proxy to access the tool's original API. Valid values are api or proxy.
The x-provider-type extension is defined as: api.openapi.paths[<path>].<verb>[x-provider-type]
Example:
When clients request the Connector API, the Connectors system determines whether to use the custom API or directly use the Connectors Proxy to access the tool's original API based on the x-provider-type value in the ConnectorClass corresponding to the current Connector. When this information is not provided, or when no API path is matched, the system defaults to using the Connectors Proxy to access the tool's original API.
When you need to reference the API in dynamic forms, additional configuration is required in spec.api.openapi. For more details, refer to Using Connectors API in Dynamic Forms.
Configuration Capabilities
Configuration capabilities define the configuration files that a ConnectorClass provides to clients. These files can be mounted into Pods using the Connectors-CSI Driver.
Configuration Types
- Custom Configurations: Defined in
spec.configurations - Built-in Configurations: Automatically provided by Connectors-CSI Driver (see: Built-in Configurations)
Custom Configurations
Configurations are specified through spec.configurations:
For more details, see: Configuration File Rendering
Note: spec.configurations is optional. When undefined, only built-in configurations are available.
Metadata Information for Readability Display
ConnectorClass is a standard k8s resource that can be tagged with custom information using labels and annotations.
For example:
| Key | Description |
|---|---|
ui.cpaas.io/icon | The icon for ConnectorClass, optional. Format: data:image/svg+xml;base64,PD94bWwgdmVyc2... |
cpaas.io/display-name | The display name for ConnectorClass, optional. |
cpaas.io/description | The description for ConnectorClass, optional. |
connectors.cpaas.io/readme | Usage instructions for ConnectorClass, optional. Typically used for custom scenarios when docs-link cannot be provided. Supports Markdown format. |
connectors.cpaas.io/docs-link | Documentation link for ConnectorClass, optional. Relative or absolute path. |
For example:
ConnectorClass Proxy
The ConnectorClass Proxy is used to configure the proxy address for the ConnectorClass.
The ConnectorClass Proxy is configured through spec.proxy. For example:
The Connector will use the proxy address to proxy the request to the ConnectorClass. More information
Using Rego to extract token from request
When using the built-in reverse proxy, you can configure Rego rules using spec.proxy.authExtractor to extract tokens from client requests, enabling the built-in reverse proxy to validate client authentication using the extracted token.
For example:
Rego rules must follow these requirements:
- Rules must be defined in the
proxypackage - Use the
authvariable to return the token, where the token is a string type, for example:auth = { "token": "abcd1234" } - If the token cannot be extracted, return an empty string, for example:
auth = { "token": "" }
The following variables are available in Rego:
| key | type | description | Example |
|---|---|---|---|
| request.headers | map[string][]string | Headers of the request sent to the built-in reverse proxy | input.request.headers["X-Token"][0] |
| request.body | object | Body of the request sent to the built-in reverse proxy | input.request.body.token |
| request.query | map[string][]string | Query parameters of the request sent to the built-in reverse proxy | input.request.query["token"][0] |
| request.method | string | HTTP method of the request sent to the built-in reverse proxy | input.request.method |
| request.path | string | Path of the request sent to the built-in reverse proxy | input.request.path |
| request.host | string | Host of the request sent to the built-in reverse proxy | input.request.host |
Notes:
- Header keys in
headersuse Canonical MIME Header Key format (capitalized first letter) - When implementing Rego rules, ensure robust logic. For example, return an empty string when
input.request.headersis null or empty.
Example
This example demonstrates robust token extraction by:
- Defining a default rule that returns an empty token string
- Checking that headers exist and are not null before accessing them
- Verifying that the specific header key exists and has at least one value
For more advanced Rego rules, see the Rego Policy Language documentation. For more information about using the built-in reverse proxy, see Connectors Proxy.
Resolver Type
The proxy address of the ConnectorClass will be resolved according to the specified resolver type.
The resolver type is configured through annotations connectors.cpaas.io/proxy-resolver. For example:
This field is a convention between ConnectorClass-Proxy and Connector. Optional.
Supported values: host, path. Default is host.
hostformat:http://{.ConnectorClass.Status.ProxyAddress.URL}pathformat:http://{.ConnectorClass.Status.ProxyAddress.URL}/namespaces/{namespace}/connectors/{connector-name}
Status Information
Once you have defined the ConnectorClass resource, the status information of the resource will be stored in status.
The status.conditions type includes:
APIReady: Status information of the API capabilityProxyReady: Status information of the Proxy capabilityReady: Marks the overall status of the current ConnectorClass
Ready Condition
The Ready Condition is used to mark the status of the current ConnectorClass. It aggregates the status of other conditions.
- When other Conditions are True, the current Condition is True.
- When any other Condition is False, the current Condition is False.
- When any other Condition is Unknown, the current Condition is Unknown.
APIReady Condition
Indicates the status information of the API service configured for the ConnectorClass. The API service is configured through ConnectorClass's spec.api.
| Status | Reason | Description |
|---|---|---|
| True | NonAPI | spec.api not configured, the current ConnectorClass has no API capability |
| True | spec.api defined, API service is normal | |
| False | spec.api defined, API capability is abnormal or detection itself is abnormal | |
| Unknown | API capability detection in progress |
Note:
- The API detection will only attempt to request the link and will not make any HTTP return value judgments. The health check of the API service should rely on the health check mechanism of the API service itself.
- Since the API service may change at any time, the status information of the API cannot reflect real-time information. It is recommended that clients use this status information as a hint rather than relying on it to block client behavior.
ProxyReady Condition
Indicates the status information of the Proxy service configured for the ConnectorClass. The Proxy service is configured through ConnectorClass's spec.proxy.
| Status | Reason | Description |
|---|---|---|
| True | NonProxy | spec.proxy not configured, the current ConnectorClass has no Proxy capability |
| True | spec.proxy defined, Proxy service is normal | |
| False | spec.proxy defined, Proxy capability is abnormal or detection itself is abnormal | |
| Unknown | Proxy capability detection in progress |
Compatibility
Updates to the ConnectorClass may affect existing Connectors. If there are incompatible changes to the ConnectorClass, it may cause previously created Connectors to become invalid. Here are some possible changes that may lead to incompatibility:
-
Changes in authentication information: If the ConnectorClass modifies the supported authentication types or methods, it may cause Connectors using the old authentication method to malfunction.
-
Changes in configuration information: If the configuration information of the ConnectorClass changes, such as removing an existing configuration, it may cause Kubernetes workloads that depend on the old configuration to malfunction.
It is recommended to confirm the scope of impact when updating the ConnectorClass, or if necessary, create a new ConnectorClass.
More Examples
-
ConnectorClass supporting
basic-authauthentication type -
Custom authentication type ConnectorClass
-
ConnectorClass configured with
liveness probe -
ConnectorClass configured with
auth probe -
Complete Git connector configuration example: