chore(updater): bump pkg/dist/*.yml (2025-10-10)

pkg/dist/service_types.yml

@@ -1708,7 +1708,7 @@ grafana:
       example: lax
     custom_domain:
       title: Custom domain
-      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name
+      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name. When you set a custom domain for a service deployed in a VPC, the service certificate is only created for the public-* hostname and the custom domain.
       type: string
       max_length: 255
       example: grafana.example.org
@@ -2069,7 +2069,7 @@ influxdb:
       max_items: 1
     custom_domain:
       title: Custom domain
-      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name
+      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name. When you set a custom domain for a service deployed in a VPC, the service certificate is only created for the public-* hostname and the custom domain.
       type: string
       max_length: 255
       example: grafana.example.org
@@ -2234,7 +2234,7 @@ kafka:
       example: true
     custom_domain:
       title: Custom domain
-      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name
+      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name. When you set a custom domain for a service deployed in a VPC, the service certificate is only created for the public-* hostname and the custom domain.
       type: string
       max_length: 255
       example: grafana.example.org
@@ -4545,7 +4545,7 @@ opensearch:
           pattern: ^[^\r\n]*$
     custom_domain:
       title: Custom domain
-      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name
+      description: Serve the web frontend using a custom CNAME pointing to the Aiven DNS name. When you set a custom domain for a service deployed in a VPC, the service certificate is only created for the public-* hostname and the custom domain.
       type: string
       max_length: 255
       example: grafana.example.org
@@ -5030,6 +5030,86 @@ opensearch:
         max_length: 43
         example: 10.20.0.0/16
       max_items: 8000
+    jwt:
+      title: OpenSearch JWT Configuration
+      type: object
+      required:
+        - enabled
+        - signing_key
+      properties:
+        enabled:
+          title: Enable or disable OpenSearch JWT authentication
+          description: Enables or disables JWT-based authentication for OpenSearch. When enabled, users can authenticate using JWT tokens.
+          type: boolean
+          default: false
+        jwt_clock_skew_tolerance_seconds:
+          title: JWT clock skew tolerance in seconds
+          description: The maximum allowed time difference in seconds between the JWT issuer's clock and the OpenSearch server's clock. This helps prevent token validation failures due to minor time synchronization issues.
+          type: integer
+          default: "20"
+          minimum: "0"
+          maximum: "300"
+          example: "20"
+        jwt_header:
+          title: HTTP header name for JWT token
+          description: The HTTP header name where the JWT token is transmitted. Typically 'Authorization' for Bearer tokens.
+          type: string
+          default: Authorization
+          min_length: 1
+          max_length: 256
+          pattern: ^[^\r\n]*$
+          example: Authorization
+        jwt_url_parameter:
+          title: URL parameter name for JWT token
+          description: If the JWT token is transmitted as a URL parameter instead of an HTTP header, specify the parameter name here.
+          type: string
+          min_length: 1
+          max_length: 256
+          pattern: ^[^\r\n]*$
+          example: token
+        required_audience:
+          title: Required JWT audience
+          description: If specified, the JWT must contain an 'aud' claim that matches this value. This provides additional security by ensuring the JWT was issued for the expected audience.
+          type: string
+          min_length: 1
+          max_length: 1024
+          pattern: ^[^\r\n]*$
+          example: https://myapp.example.com
+        required_issuer:
+          title: Required JWT issuer
+          description: If specified, the JWT must contain an 'iss' claim that matches this value. This provides additional security by ensuring the JWT was issued by the expected issuer.
+          type: string
+          min_length: 1
+          max_length: 1024
+          pattern: ^[^\r\n]*$
+          example: https://auth.example.com
+        roles_key:
+          title: JWT claim key for roles
+          description: The key in the JWT payload that contains the user's roles. If specified, roles will be extracted from the JWT for authorization.
+          type: string
+          min_length: 1
+          max_length: 256
+          pattern: ^[^\r\n]*$
+          example: roles
+        signing_key:
+          title: JWT signing key
+          description: The secret key used to sign and verify JWT tokens. This should be a secure, randomly generated key HMAC key or public RSA/ECDSA key.
+          type: string
+          min_length: 1
+          max_length: 1024
+          example: |-
+            MrJiimVjKgjRKCSk0s6rcEuCz17v5ZyFRqKARfZbuZE= (HMAC) or -----BEGIN PUBLIC KEY-----
+            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
+            -----END PUBLIC KEY----- (PEM)
+          _secure: true
+        subject_key:
+          title: JWT claim key for subject
+          description: The key in the JWT payload that contains the user's subject identifier. If not specified, the 'sub' claim is used by default.
+          type: string
+          min_length: 1
+          max_length: 256
+          pattern: ^[^\r\n]*$
+          example: sub
     keep_index_refresh_interval:
       title: Don't reset index.refresh_interval to the default value
       description: Aiven automation resets index.refresh_interval to default value for every index to be sure that indices are always visible to search. If it doesn't fit your case, you can disable this by setting up this flag to true.
@@ -6465,6 +6545,7 @@ pg:
           description: Sets the PostgreSQL maximum number of concurrent connections to the database server. This is a limited-release parameter. Contact your account team to confirm your eligibility. You cannot decrease this parameter value when set. For services with a read replica, first increase the read replica's value. After the change is applied to the replica, you can increase the primary service's value. Changing this parameter causes a service restart.
           type: integer
           minimum: "25"
+          maximum: "262143"
         max_files_per_process:
           title: max_files_per_process
           description: PostgreSQL maximum number of files that can be open per process. The default is `1000` (upstream default). Changing this parameter causes a service restart.