Usage

One page per feature. JaaS has two faces over one evaluation core: the HTTP renderer and the Flux operator (--enable-flux-integration). The first pages below cover the renderer; the rest cover the operator. The API reference carries the exhaustive field-by-field detail.

• Admission webhook

  The opt-in validating webhook for JsonnetSnippet, what it rejects, the failure-policy trade-off, and the two TLS provisioning modes.

• Alerting

  The opt-in PrometheusRule alert catalog with tunable thresholds and runbook links, plus Kubernetes Events routed through Flux's notification-controller.

• Creating source artifacts

  Step-by-step recipes to prepare GitRepository, OCIRepository, and Bucket sources for a JsonnetSnippet — including the single-layer rule for OCI.

• Evaluation and security

  Timeout, stack, and concurrency caps on evaluation, and the security model to lock down before exposing the service.

• External variables and TLAs

  Passing values into a render through external variables and top-level arguments.

• JOI images

  The catalog of prebuilt Jsonnet OCI Images (JOI) — every published library, its image reference, upstream source, and description — ready to import into snippets.

• Jsonnet libraries

  Reusable .libsonnet files for snippets via the JsonnetLibrary CRD and OCI-mounted shared libraries, and how imports resolve.

• Logging

  JaaS logs through log/slog with configurable level and format; in operator mode controller-runtime's own logs share the same handler. Reading JSON logs with kubectl and jq, and the Helm chart keys that drive it.

• Metrics

  The controller-runtime Prometheus endpoint, the custom jaas_ metric family, scraping with a ServiceMonitor or a plain scrape config, querying with PromQL, and the Helm chart keys that drive it.

• Network policy

  The opt-in NetworkPolicy the chart ships — pod-scoped allowlists vs. a namespace-wide default-deny, choosing a policy engine, the ingress and egress traffic JaaS needs, and how to tighten each port.

• Observability

  How to watch JaaS in production — structured logs, OTLP traces, Prometheus metrics, and the shipped alert catalog with Kubernetes Events and Flux notification routing.

• Operator mode

  Boot JaaS as a Kubernetes operator that evaluates JsonnetSnippet CRs and publishes the results as Flux ExternalArtifacts.

• Rendering endpoint

  The GET /jsonnet/{snippet} request, snippet resolution, the management probes, and the stable error contract.

• Service mesh

  The opt-in service-mesh authorization the chart ships — Istio or Linkerd identity-based authorization and mTLS layered over networkPolicy, per-port allowed mesh identities, the non-mesh carve-outs for the apiserver and kubelet, and native passthrough.

• Snippet sources

  Where a JsonnetSnippet's Jsonnet comes from — inline files, a Flux source, a multi-snippet tree, and chained snippet output.

• Snippets and libraries

  Declaring snippets and libraries on disk for the HTTP renderer, and how imports resolve.

• Storage and high availability

  The local and S3 artifact backends, leader election, multi-replica HA, revision retention, and the orphan-tmp sweep.

• Tenancy and RBAC

  Per-snippet ServiceAccount impersonation, the minimal operator ClusterRole, the tenant Role callers must grant, and the watch-scope flags.

• Tracing

  The JaaS operator exports OpenTelemetry traces over OTLP gRPC. Pointing it at a collector, sampling, viewing spans, and the Helm chart keys that drive it.