| `metadata`_[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `metadata`_[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `apiEndpoint`_[ApiEndpointSpec](#apiendpointspec)_ | ApiEndpoint - Configure the endpoint for all API routes<br/>this includes the JWT configuration | | |
| `dashboardEndpoint`_[DashboardEndpointSpec](#dashboardendpointspec)_ | DashboardEndpoint - Configure the endpoint for the Supabase dashboard (studio)<br/>this includes optional authentication (basic or Oauth2) for the dashboard | | |
| `serviceSelector`_[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#labelselector-v1-meta)_ | ServiceSelector - selector to match all Supabase services (or in fact EndpointSlices) that should be considered for this APIGateway | \{ matchExpressions:[map[key:app.kubernetes.io/part-of operator:In values:[supabase]] map[key:supabase.k8s.icb4dc0.de/api-gateway-target operator:Exists]] \} | |
| `componentTypeLabel`_string_ | ComponentTypeLabel - Label to identify which Supabase component a Service represents (e.g. auth, postgrest, ...) | app.kubernetes.io/name | |
| `jwks`_[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#secretkeyselector-v1-core)_ | JWKSSelector - selector where the JWKS can be retrieved from to enable the API gateway to validate JWTs | | |
| `metadata`_[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `metadata`_[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `externalUrl`_string_ | APIExternalURL is referring to the URL where Supabase API will be available<br/>Typically this is the ingress of the API gateway | | |
| `siteUrl`_string_ | SiteURL is referring to the URL of the (frontend) application<br/>In most Kubernetes scenarios this is the same as the APIExternalURL with a different path handler in the ingress | | |
| `metadata`_[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `oauth2`_[DashboardOAuth2Spec](#dashboardoauth2spec)_ | OAuth2 - configure oauth2 authentication for the dashhboard listener<br/>if configured, will be preferred over Basic authentication configuration<br/>effectively disabling basic auth | | |
| `basic`_[DashboardBasicAuthSpec](#dashboardbasicauthspec)_ | Basic - HTTP basic auth configuration, this should only be used in exceptions<br/>e.g. during evaluations or for local development<br/>only used if no other authentication is configured | | |
| `plaintextUsersSecretRef`_string_ | PlaintextUsersSecretRef - name of a secret that contains plaintext credentials in key-value form<br/>if not empty, credentials will be merged with inline users | | |
| `dbCredentialsRef`_[DbCredentialsReference](#dbcredentialsreference)_ | DBCredentialsRef - reference to a Secret key where the DB credentials can be retrieved from<br/>Credentials need to be stored in basic auth form | | |
| `metadata`_[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `openIdIssuer`_string_ | OpenIDIssuer - if set the defaulter will fetch the discovery document and fill<br/>TokenEndpoint and AuthorizationEndpoint based on the discovery document | | |
| `tokenEndpoint`_string_ | TokenEndpoint - endpoint where Envoy will retrieve the OAuth2 access and identity token from | | |
| `authorizationEndpoint`_string_ | AuthorizationEndpoint - endpoint where the user will be redirected to authenticate | | |
| `clientId`_string_ | ClientID - client ID to authenticate with the OAuth2 provider | | |
| `scopes`_string array_ | Scopes - scopes to request from the OAuth2 provider (e.g. "openid", "profile", ...) - optional | | |
| `resources`_string array_ | Resources - resources to request from the OAuth2 provider (e.g. "user", "email", ...) - optional | | |
| `clientSecretRef`_[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#secretkeyselector-v1-core)_ | ClientSecretRef - reference to the secret that contains the client secret | | |
| `selfManaged`_boolean_ | SelfManaged - whether the database roles are managed externally<br/>when enabled the operator does not attempt to create secrets, generate passwords or whatsoever for all database roles<br/>i.e. all secrets need to be provided or the instance won't work | | |
| `secrets`_[DatabaseRolesSecrets](#databaserolessecrets)_ | Secrets - typed 'map' of secrets for each database role that Supabase needs | | |
| `component`_string_ | Component - the component to set the log level for<br/>the component IDs can be found [here](https://github.com/envoyproxy/envoy/blob/main/source/common/common/logger.h#L36) | | |
| `level`_[EnvoyLogLevel](#envoyloglevel)_ | Level - the log level to set for the component | | Enum: [trace debug info warning error critical off] <br/> |
| `nodeName`_string_ | NodeName - identifies the Envoy cluster within the current namespace<br/>if not set, the name of the APIGateway resource will be used<br/>The primary use case is to make the assignment of multiple supabase instances in a single namespace explicit. | | |
| `controlPlane`_[ControlPlaneSpec](#controlplanespec)_ | ControlPlane - configure the control plane where Envoy will retrieve its configuration from | | |
| `disableIPv6`_boolean_ | DisableIPv6 - disable IPv6 for the Envoy instance<br/>this will force Envoy to use IPv4 for upstream hosts (mostly for the OAuth2 token endpoint) | | |
| `name`_string_ | Name - file name of the migration script | | |
| `hash`_integer array_ | Hash - SHA256 hash of the script when it was last successfully applied | | |
| `lastProbeTime`_[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#time-v1-meta)_ | LastProbeTime - last time the operator tried to execute the migration script | | |
| `lastTransitionTime`_[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#time-v1-meta)_ | LastTransitionTime - last time the condition transitioned from one status to another | | |
| `reason`_string_ | Reason - one-word, CamcelCase reason for the condition's last transition | | |
| `message`_string_ | Message - human-readable message indicating details about the last transition | | |
| `schemas`_string array_ | Schemas - schema where PostgREST is looking for objects (tables, views, functions, ...) | [public graphql_public] | |
| `extraSearchPath`_string array_ | ExtraSearchPath - Extra schemas to add to the search_path of every request.<br/>These schemas tables, views and functions don’t get API endpoints, they can only be referred from the database objects inside your db-schemas. | [public extensions] | |
| `region`_string_ | Region - S3 region of the backend | | |
| `endpoint`_string_ | Endpoint - hostname and port **with** http/https | | |
| `forcePathStyle`_boolean_ | ForcePathStyle - whether to use path style (e.g. for MinIO) or domain style<br/>for bucket addressing | | |
| `bucket`_string_ | Bucket - bucke to use, if file backend is used, default value is sufficient | stub | |
| `credentialsSecretRef`_[S3CredentialsRef](#s3credentialsref)_ | CredentialsSecretRef - reference to the Secret where access key id and access secret key are stored | | |
| `credentialsSecretRef`_[S3CredentialsRef](#s3credentialsref)_ | CredentialsSecretRef - reference to the Secret where access key id and access secret key are stored | | |
| `metadata`_[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `port`_integer_ | Port - Database port, typically 5432 | 5432 | |
| `dbName`_string_ | | | |
| `dbCredentialsRef`_[DbCredentialsReference](#dbcredentialsreference)_ | DBCredentialsRef - reference to a Secret key where the DB credentials can be retrieved from<br/>Credentials need to be stored in basic auth form | | |
| `fileBackend`_[FileBackendSpec](#filebackendspec)_ | FileBackend - configure the file backend<br/>either S3 or file backend **MUST** be configured | | |
| `fileSizeLimit`_integer_ | FileSizeLimit - maximum file upload size in bytes | 52428800 | |
| `jwtAuth`_[JwtSpec](#jwtspec)_ | JwtAuth - Configure the JWT authentication parameters.<br/>This includes where to retrieve anon and service key from as well as JWT secret and JWKS references<br/>needed to validate JWTs send to the API | | |
| `db`_[StorageApiDbSpec](#storageapidbspec)_ | DBSpec - Configure access to the Postgres database<br/>In most cases this will reference the supabase-storage-admin credentials secret provided by the Core resource | | |
| `s3`_[S3ProtocolSpec](#s3protocolspec)_ | S3Protocol - Configure S3 access to the Storage API allowing clients to use any S3 client | | |
| `uploadTemp`_[UploadTempSpec](#uploadtempspec)_ | UploadTemp - configure the emptyDir for storing intermediate files during uploads | | |
| `metadata`_[ListMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#listmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `api`_[StorageApiSpec](#storageapispec)_ | Api - configure the Storage API | | |
| `imageProxy`_[ImageProxySpec](#imageproxyspec)_ | ImageProxy - optionally enable and configure the image proxy<br/>the image proxy scale images to lower resolutions on demand to reduce traffic for instance for mobile devices | | |
| `gatewayServiceSelector`_object (keys:string, values:string)_ | GatewayServiceSelector - selector to find the service for the API gateway<br/>Required to configure the API URL in the studio deployment<br/>If you don't run multiple APIGateway instances in the same namespaces, the default will be fine | \{ app.kubernetes.io/component:api-gateway app.kubernetes.io/name:envoy \} | |
| `externalUrl`_string_ | APIExternalURL is referring to the URL where Supabase API will be available<br/>Typically this is the ingress of the API gateway | | |
| `medium`_[StorageMedium](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#storagemedium-v1-core)_ | Medium of the empty dir to cache uploads | | |
