diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/README.md b/operators/sailoperator/0.1.0-nightly-2024-08-06/README.md new file mode 100644 index 00000000000..b3f44a999cd --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/README.md @@ -0,0 +1,465 @@ +# About the Sail Operator + +The Sail Operator is able to install and manage the lifecycle of the Istio +control plane in an OpenShift cluster. + + +## Prerequisites + +You have deployed a cluster on OpenShift Container Platform 4.13 or later. + +You are logged in to the OpenShift Container Platform web console as a user with +the `cluster-admin` role. + +You have access to the OpenShift CLI (oc). + + +## Installing the Sail Operator + +1. Navigate to the OperatorHub. + +1. Click **Operator** -> **Operator Hub**. + +1. Search for "sail". + +1. Locate the Sail Operator, and click to select it. + +1. When the prompt that discusses the community operator appears, click **Continue**. + +1. Verify the Sail Operator is version 0.1, and click **Install**. + +1. Use the default installation settings presented, and click **Install** to continue. + +1. Click **Operators** -> **Installed Operators** to verify that the Sail Operator +is installed. `Succeeded` should appear in the **Status** column. + + +## Deploying Istio + +To deploy Istio, you must create two resources: `Istio` and `IstioCNI`. The +`Istio` resource deploys and configures the Istio Control Plane, whereas the +`IstioCNI` resource deploys and configures the Istio CNI plugin. You should +create these resources in separate projects. + + +### Creating the istio-system and istio-cni Projects + +1. In the OpenShift Container Platform web console, click **Home** -> **Projects**. + +1. Click **Create Project**. + +1. At the prompt, you must enter a name for the project in the **Name** field. +For example, `istio-system`. The Operator deploys Istio to the project you +specify. The other fields provide supplementary information and are optional. + +1. Click **Create**. + +Repeat the process to create a project named `istio-cni`. + + +### Creating the Istio resource + +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Select the `istio-system` project from the **Namespace** drop-down menu. +1. Click the Sail Operator. +1. Click **Istio**. +1. Click **Create Istio**. +1. Click **Create**. This action deploys the Istio control plane. +1. When `State: Healthy` appears in the `Status` column, Istio is successfully deployed. + + +### Creating the IstioCNI resource + +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Click the Sail Operator. +1. Click **IstioCNI**. +1. Click **Create IstioCNI**. +1. Ensure that the name is `default`. +1. Select the `istio-cni` project from the **Namespace** drop-down menu. +1. Click **Create**. This action deploys the Istio CNI plugin. +1. When `State: Healthy` appears in the `Status` column, the Istio CNI plugin is successfully deployed. + + +### Selecting the Istio and IstioCNI versions + +The `version` field of the `Istio` and `IstioCNI` resource defines which version +of each component should be deployed. This can be set using the `Istio Version` +drop down menu when creating a new `Istio` with the OpenShift Container Platform +web console. For a list of available versions, see the [versions.yaml](/versions.yaml) file +or use the command: + + ```sh + $ kubectl explain istio.spec.version + ``` + +### Customizing Istio configuration + +The `spec.values` field of the `Istio` and `IstioCNI` resource can be used to +customize Istio and Istio CNI plugin configuration using Istio's `Helm` +configuration values. When you create this resource using the OpenShift +Container Platform web console, it is pre-populated with configuration settings +to enable Istio to run on OpenShift. + +To view or modify the `Istio` resource from the OpenShift Container Platform web console: + +1. Click **Operators** -> **Installed Operators**. +1. Click **Istio** in the **Provided APIs** column. +1. Click `Istio` instance, "istio-sample" by default, in the **Name** column. +1. Click **YAML** to view the `Istio` configuration and make modifications. + +An example configuration: + +``` +apiVersion: operator.istio.io/v1alpha1 +kind: Istio +metadata: + name: example +spec: + version: v1.20.0 + values: + global: + mtls: + enabled: true + trustDomainAliases: + - example.net + meshConfig: + trustDomain: example.com + trustDomainAliases: + - example.net +``` + +For a list of available configuration for the `spec.values` field, run the +following command: + + ```sh + $ kubectl explain istio.spec.values + ``` + +For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above. + +Alternatively, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for: + +- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values) +- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values) +- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values) +- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values) +- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values) + + +## Installing the istioctl tool + +The `istioctl` tool is a configuration command line utility that allows service +operators to debug and diagnose Istio service mesh deployments. + + +### Prerequisites + +Use an `istioctl` version that is the same version as the Istio control plane +for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid +releases, including Beta releases. + + +### Procedure + +1. Confirm if you have `istioctl` installed, and if so which version, by running +the following command at the terminal: + + ```sh + $ istioctl version + ``` + +1. Confirm the version of Istio you are using by running the following command +at the terminal: + + ```sh + $ oc -n istio-system get istio + ``` + +1. Install `istioctl` by running the following command at the terminal: + + ```sh + $ curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION= sh - + ``` + Replace `` with the version of Istio you are using. + +1. Put the `istioctl` directory on path by running the following command at the terminal: + + ```sh + $ export PATH=$HOME/.istioctl/bin:$PATH + ``` + +1. Confirm that the `istioctl` client version and the Istio control plane +version now match (or are within one version) by running the following command +at the terminal: + + ```sh + $ istioctl version + ``` + + +*Note*: `istioctl install` is not supported. The Sail Operator installs Istio. + +## Installing the Bookinfo Application + +You can use the `bookinfo` example application to explore service mesh features. +Using the `bookinfo` application, you can easily confirm that requests from a +web browser pass through the mesh and reach the application. + +The `bookinfo` application displays information about a book, similar to a +single catalog entry of an online book store. The application displays a page +that describes the book, lists book details (ISBN, number of pages, and other +information), and book reviews. + +The `bookinfo` application is exposed through the mesh, and the mesh configuration +determines how the microservices comprising the application are used to serve +requests. The review information comes from one of three services: `reviews-v1`, +`reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without +defining the `reviews` virtual service, then the mesh uses a round-robin rule to +route requests to a service. + +By deploying the `reviews` virtual service, you can specify a different behavior. +For example, you can specify that if a user logs into the `bookinfo` application, +then the mesh routes requests to the `reviews-v2` service, and the application +displays reviews with black stars. If a user does not log into the `bookinfo` +application, then the mesh routes requests to the `reviews-v3` service, and the +application displays reviews with red stars. + +For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation. + +After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you +will need to create and configure a gateway** for the `bookinfo` application to +be accessible outside the cluster. + + +## Creating and Configuring Gateways + +The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not +part of the control plane. As a security best-practice, Ingress and Egress +Gateways should be deployed in a different namespace than the namespace that +contains the control plane. + +You can deploy gateways using either the Gateway API or Gateway Injection methods. + + +### Option 1: Istio Gateway Injection + +Gateway Injection uses the same mechanisms as Istio sidecar injection to create +a gateway from a `Deployment` resource that is paired with a `Service` resource +that can be made accessible from outside the cluster. For more information, see +[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). + +To configure gateway injection with the `bookinfo` application, we have provided +a [sample gateway configuration](../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace +where the application is installed: + +1. Create the `istio-ingressgateway` deployment and service: + + ```sh + $ oc apply -f -n ingress-gateway.yaml + ``` + +2. Configure the `bookinfo` application with the new gateway: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml + ``` + +3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally: + + ```sh + $ oc expose service istio-ingressgateway + ``` + +4. Finally, obtain the gateway host name and the URL of the product page: + + ```sh + $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}') + $ echo http://$HOST/productpage + ``` + +Verify that the `productpage` is accessible from a web browser. + + +### Option 2: Kubernetes Gateway API + +Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it +the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more +information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page. + +As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are +not available by default and must be enabled to be used. This can be done with +the command: + +```sh +$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; } +``` + +To configure `bookinfo` with a gateway using `Gateway API`: + +1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml + ``` + +2. Retrieve the host, port and gateway URL: + + ```sh + $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}') + $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') + $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT + ``` + +3. Obtain the `productpage` URL and check that you can visit it from a browser: + + ```sh + $ echo "http://${GATEWAY_URL}/productpage" + ``` + + +## Istio Addons Integrations + +Istio can be integrated with other software to provide additional functionality +(More information can be found in: https://istio.io/latest/docs/ops/integrations/). +The following addons are for demonstration or development purposes only and +should not be used in production environments: + + +### Prometheus + +`Prometheus` is an open-source systems monitoring and alerting toolkit. You can +use `Prometheus` with the Sail Operator to keep an eye on how healthy Istio and +the apps in the service mesh are, for more information, see [Prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/). + +To install Prometheus, perform the following steps: + +1. Deploy `Prometheus`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml + ``` +2. Access to `Prometheus`console: + + * Expose the `Prometheus` service externally: + + ```sh + $ oc expose service prometheus -n istio-system + ``` + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route prometheus -o jsonpath='{.spec.host}' -n istio-system + ``` + + +### Grafana + +`Grafana` is an open-source platform for monitoring and observability. You can +use `Grafana` with the Sail Operator to configure dashboards for istio, see +[Grafana](https://istio.io/latest/docs/ops/integrations/grafana/) for more information. + +To install Grafana, perform the following steps: + +1. Deploy `Grafana`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml + ``` + +2. Access to `Grafana`console: + + * Expose the `Grafana` service externally + + ```sh + $ oc expose service grafana -n istio-system + ``` + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route grafana -o jsonpath='{.spec.host}' -n istio-system + ``` + + +### Jaeger + +`Jaeger` is an open-source end-to-end distributed tracing system. You can use +`Jaeger` with the Sail Operator to monitor and troubleshoot transactions in +complex distributed systems, see [Jaeger](https://istio.io/latest/docs/ops/integrations/jaeger/) for more information. + +To install Jaeger, perform the following steps: + +1. Deploy `Jaeger`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml + ``` +2. Access to `Jaeger` console: + + * Expose the `Jaeger` service externally: + + ```sh + $ oc expose svc/tracing -n istio-system + ``` + + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route tracing -o jsonpath='{.spec.host}' -n istio-system + ``` +*Note*: if you want to see some traces you can refresh several times the product +page of bookinfo app to start generating traces. + + +### Kiali + +`Kiali` is an open-source project that provides a graphical user interface to +visualize the service mesh topology, see [Kiali](https://istio.io/latest/docs/ops/integrations/kiali/) for more information. + +To install Kiali, perform the following steps: + +1. Deploy `Kiali`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml + ``` + +2. Access to `Kiali` console: + + * Expose the `Kiali` service externally: + + ```sh + $ oc expose service kiali -n istio-system + ``` + + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route kiali -o jsonpath='{.spec.host}' -n istio-system + ``` + + +## Undeploying Istio and the Sail Operator + +### Deleting Istio +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Click **Istio** in the **Provided APIs** column. +1. Click the Options menu, and select **Delete Istio**. +1. At the prompt to confirm the action, click **Delete**. + +### Deleting IstioCNI +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Click **IstioCNI** in the **Provided APIs** column. +1. Click the Options menu, and select **Delete IstioCNI**. +1. At the prompt to confirm the action, click **Delete**. + +### Deleting the Sail Operator +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Locate the Sail Operator. Click the Options menu, and select **Uninstall Operator**. +1. At the prompt to confirm the action, click **Uninstall**. + +### Deleting the Projects +1. In the OpenShift Container Platform web console, click **Home** -> **Projects**. +1. Locate the name of the project and click the Options menu. +1. Click **Delete Project**. +1. At the prompt to confirm the action, enter the name of the project. +1. Click **Delete**. diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/extensions.istio.io_wasmplugins.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/extensions.istio.io_wasmplugins.yaml new file mode 100644 index 00000000000..b315365b9f3 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/extensions.istio.io_wasmplugins.yaml @@ -0,0 +1,298 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + failStrategy: + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string + imagePullPolicy: + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + maximum: 65535 + minimum: 1 + type: integer + required: + - number + type: object + type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map + type: object + type: array + phase: + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 + nullable: true + type: integer + selector: + description: Criteria used to select the specific set of pods/VMs + on which this plugin configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK + type: string + url: + description: URL of a Wasm module or OCI container. + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', + ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && + url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', + ''oci'', ''file''])' + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 + type: string + value: + description: Value for the environment variable. + maxLength: 2048 + type: string + valueFrom: + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST + enum: + - INLINE + - HOST + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' + || !has(self.value)' + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - url + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 00000000000..2364173d98c --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: sailoperator + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/managed-by: helm + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: sailoperator + name: metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_destinationrules.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_destinationrules.yaml new file mode 100644 index 00000000000..7e39a5685f5 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_destinationrules.yaml @@ -0,0 +1,5276 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_envoyfilters.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_envoyfilters.yaml new file mode 100644 index 00000000000..a8f3e1bacd3 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_envoyfilters.yaml @@ -0,0 +1,332 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this + filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which + traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by + a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format + (RE2) that can be used to select proxies using a specific + version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name + for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server + port number for which this route configuration was + generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route + configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated + by Istio are named as host:port, where the host + typically corresponds to the VirtualService's + host field or the hostname of a service in the + registry. + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by + default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_gateways.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_gateways.yaml new file mode 100644 index 00000000000..a5d29e784a0 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_gateways.yaml @@ -0,0 +1,515 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_proxyconfigs.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_proxyconfigs.yaml new file mode 100644 index 00000000000..795f66b2b66 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_proxyconfigs.yaml @@ -0,0 +1,86 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + minimum: 0 + nullable: true + type: integer + environmentVariables: + additionalProperties: + maxLength: 2048 + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_serviceentries.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_serviceentries.yaml new file mode 100644 index 00000000000..a98cc30c204 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_serviceentries.yaml @@ -0,0 +1,578 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_sidecars.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_sidecars.yaml new file mode 100644 index 00000000000..5e162db0a05 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_sidecars.yaml @@ -0,0 +1,1422 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_virtualservices.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_virtualservices.yaml new file mode 100644 index 00000000000..2504c725f5d --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_virtualservices.yaml @@ -0,0 +1,2936 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_workloadentries.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_workloadentries.yaml new file mode 100644 index 00000000000..c80643e40c6 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_workloadentries.yaml @@ -0,0 +1,302 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_workloadgroups.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_workloadgroups.yaml new file mode 100644 index 00000000000..997bd74a316 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/networking.istio.io_workloadgroups.yaml @@ -0,0 +1,624 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istiocnis.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istiocnis.yaml new file mode 100644 index 00000000000..d64e184fb95 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istiocnis.yaml @@ -0,0 +1,1486 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + creationTimestamp: null + name: istiocnis.operator.istio.io +spec: + group: operator.istio.io + names: + categories: + - istio-io + kind: IstioCNI + listKind: IstioCNIList + plural: istiocnis + singular: istiocni + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Whether the Istio CNI installation is ready to handle requests. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - description: The current state of this object. + jsonPath: .status.state + name: Status + type: string + - description: The version of the Istio CNI installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IstioCNI represents a deployment of the Istio CNI component. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + default: + namespace: istio-cni + version: v1.22.3 + description: IstioCNISpec defines the desired state of IstioCNI + properties: + namespace: + default: istio-cni + description: Namespace to which the Istio CNI component should be + installed. + type: string + profile: + description: |- + The built-in installation configuration profile to use. + The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. + Must be one of: ambient, default, demo, empty, external, minimal, openshift-ambient, openshift, preview, remote, stable. + enum: + - ambient + - default + - demo + - empty + - external + - minimal + - openshift-ambient + - openshift + - preview + - remote + - stable + type: string + values: + description: Defines the values to be passed to the Helm charts when + installing Istio CNI. + properties: + cni: + description: Configuration for the Istio CNI plugin. + properties: + affinity: + description: K8s affinity to set on the istio-cni Pods. Can + be used to exclude istio-cni from being scheduled on specified + nodes. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + ambient: + description: Configuration for Istio Ambient. + properties: + configDir: + description: The directory path containing the configuration + files for Ambient. Defaults to /etc/ambient-config. + type: string + dnsCapture: + description: If enabled, and ambient is enabled, DNS redirection + will be enabled. + type: boolean + enabled: + description: Controls whether ambient redirection is enabled + type: boolean + type: object + chained: + description: |- + Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false, + the configuration is added as a standalone file in the CNI configuration directory. + type: boolean + cniBinDir: + description: The directory path within the cluster node's + filesystem where the CNI binaries are to be installed. Typically + /var/lib/cni/bin. + type: string + cniConfDir: + description: The directory path within the cluster node's + filesystem where the CNI configuration files are to be installed. + Typically /etc/cni/net.d. + type: string + cniConfFileName: + description: The name of the CNI plugin configuration file. + Defaults to istio-cni.conf. + type: string + cniNetnsDir: + description: |- + The directory path within the cluster node's filesystem where network namespaces are located. + Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + type: string + excludeNamespaces: + description: List of namespaces that should be ignored by + the CNI plugin. + items: + type: string + type: array + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name to pull from. Image will be `Hub/Image:Tag-Variant`. + If Image contains a "/", it will replace the entire `image` in the pod. + type: string + logLevel: + description: |- + Configuration log level of istio-cni binary. By default, istio-cni sends all logs to the UDS server. + To see the logs, change global.logging.level to cni:debug. + type: string + podAnnotations: + additionalProperties: + type: string + description: |- + Additional annotations to apply to the istio-cni Pods. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: object + privileged: + description: |- + No longer used for CNI. See: https://github.com/istio/istio/issues/49004 + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + provider: + description: |- + Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an additional + NetworkAttachmentDefinition resource is deployed to the cluster to allow the istio-cni plugin to be + invoked in a cluster using the Multus CNI plugin. + type: string + psp_cluster_role: + description: PodSecurityPolicy cluster role. No longer used + anywhere. + type: string + pullPolicy: + description: |- + Specifies the image pull policy. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + repair: + description: Configuration for the CNI Repair controller. + properties: + brokenPodLabelKey: + description: The label key to apply to a broken pod when + the controller is in labelPods mode. + type: string + brokenPodLabelValue: + description: The label value to apply to a broken pod + when the controller is in labelPods mode. + type: string + createEvents: + description: |- + No longer used. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: string + deletePods: + description: |- + The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. + The mode defines the action the controller will take when a pod is detected as broken. + If deletePods is true, the controller will delete the broken pod. The pod will then be rescheduled, hopefully onto a node that is fully ready. + Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + type: boolean + enabled: + description: Controls whether repair behavior is enabled. + type: boolean + hub: + description: Hub to pull the container image from. Image + will be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name to pull from. Image will be `Hub/Image:Tag-Variant`. + If Image contains a "/", it will replace the entire `image` in the pod. + type: string + initContainerName: + description: The name of the init container to use for + the repairPods mode. + type: string + labelPods: + description: |- + The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. + The mode defines the action the controller will take when a pod is detected as broken. + If labelPods is true, the controller will label all broken pods with =. + This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + type: boolean + repairPods: + description: |- + The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. + The mode defines the action the controller will take when a pod is detected as broken. + If repairPods is true, the controller will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + This requires no RBAC privilege, but will require the CNI agent to run as a privileged pod. + type: boolean + tag: + anyOf: + - type: integer + - type: string + description: The container image tag to pull. Image will + be `Hub/Image:Tag-Variant`. + x-kubernetes-int-or-string: true + type: object + resource_quotas: + description: The resource quotas configration for the CNI + DaemonSet. + properties: + enabled: + description: Controls whether to create resource quotas + or not for the CNI DaemonSet. + type: boolean + pods: + description: The hard limit on the number of pods in the + namespace where the CNI DaemonSet is deployed. + format: int64 + type: integer + type: object + resources: + description: The k8s resource requests and limits for the + istio-cni Pods. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + rollingMaxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The number of pods that can be unavailable during a rolling update of the CNI DaemonSet (see + `updateStrategy.rollingUpdate.maxUnavailable` here: + https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + May be specified as a number of pods or as a percent of the total number + of pods at the start of the update. + x-kubernetes-int-or-string: true + seccompProfile: + description: |- + The Container seccompProfile + + + See: https://kubernetes.io/docs/tutorials/security/seccomp/ + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + tag: + anyOf: + - type: integer + - type: string + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + x-kubernetes-int-or-string: true + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + type: object + global: + description: Part of the global configuration applicable to the + Istio CNI component. + properties: + defaultResources: + description: |- + Default k8s resources settings for all Istio control plane components. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + imagePullSecrets: + items: + type: string + type: array + logAsJson: + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio CNI component. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + tag: + anyOf: + - type: integer + - type: string + description: Specifies the tag for the Istio CNI image. + x-kubernetes-int-or-string: true + variant: + type: string + type: object + type: object + version: + default: v1.22.3 + description: |- + Defines the version of Istio to install. + Must be one of: v1.22.3, v1.22.2, v1.22.1, v1.22.0, v1.21.5, v1.21.4, v1.21.3, v1.21.2, v1.21.0, latest. + enum: + - v1.22.3 + - v1.22.2 + - v1.22.1 + - v1.22.0 + - v1.21.5 + - v1.21.4 + - v1.21.3 + - v1.21.2 + - v1.21.0 + - latest + type: string + required: + - namespace + - version + type: object + status: + description: IstioCNIStatus defines the observed state of IstioCNI + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: IstioCNICondition represents a specific observation + of the IstioCNI object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + IstioCNI object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + state: + description: Reports the current state of the object. + type: string + type: object + type: object + x-kubernetes-validations: + - message: metadata.name must be 'default' + rule: self.metadata.name == 'default' + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istiorevisions.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istiorevisions.yaml new file mode 100644 index 00000000000..892cebee810 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istiorevisions.yaml @@ -0,0 +1,8105 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + creationTimestamp: null + name: istiorevisions.operator.istio.io +spec: + group: operator.istio.io + names: + categories: + - istio-io + kind: IstioRevision + listKind: IstioRevisionList + plural: istiorevisions + shortNames: + - istiorev + singular: istiorevision + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Whether the control plane installation is ready to handle requests. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - description: The current state of this object. + jsonPath: .status.state + name: Status + type: string + - description: Whether the revision is being used by workloads. + jsonPath: .status.conditions[?(@.type=="InUse")].status + name: In use + type: string + - description: The version of the control plane installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + IstioRevision represents a single revision of an Istio Service Mesh deployment. + Users shouldn't create IstioRevision objects directly. Instead, they should + create an Istio object and allow the operator to create the underlying + IstioRevision object(s). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IstioRevisionSpec defines the desired state of IstioRevision + properties: + namespace: + description: Namespace to which the Istio components should be installed. + type: string + values: + description: Defines the values to be passed to the Helm charts when + installing Istio. + properties: + base: + description: Configuration for the base component. + properties: + validationURL: + description: URL to use for validating webhook. + type: string + type: object + compatibilityVersion: + description: |- + Specifies the compatibility version to use. When this is set, the control plane will + be configured with the same defaults as the specified version. + type: string + defaultRevision: + description: The name of the default revision in the cluster. + type: string + global: + description: Global configuration for Istio components. + properties: + arch: + description: "Specifies pod scheduling arch(amd64, ppc64le, + s390x, arm64) and weight as follows:\n\n\n\t0 - Never scheduled\n\t1 + - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\n\nDeprecated: + replaced by the affinity k8s settings which allows architecture + nodeAffinity configuration of this behavior.\n\n\nDeprecated: + Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + properties: + amd64: + description: Sets pod scheduling weight for amd64 arch + format: int32 + type: integer + arm64: + description: Sets pod scheduling weight for arm64 arch. + format: int32 + type: integer + ppc64le: + description: Sets pod scheduling weight for ppc64le arch. + format: int32 + type: integer + s390x: + description: Sets pod scheduling weight for s390x arch. + format: int32 + type: integer + type: object + autoscalingv2API: + description: |- + TODO: remove this? + No longer used. + type: boolean + caAddress: + description: The address of the CA for CSR. + type: string + caName: + description: |- + The name of the CA for workloads. + For example, when caName=GkeWorkloadCertificate, GKE workload certificates + will be used as the certificates for workloads. + The default value is "" and when caName="", the CA will be configured by other + mechanisms (e.g., environmental variable CA_PROVIDER). + type: string + certSigners: + description: List of certSigners to allow "approve" action + in the ClusterRole + items: + type: string + type: array + configCluster: + description: Controls whether a remote cluster is the config + cluster for an external istiod + type: boolean + configRootNamespace: + description: |- + TODO: remove this? + No longer used. + type: string + configValidation: + description: Controls whether the server-side validation is + enabled. + type: boolean + defaultConfigVisibilitySettings: + description: |- + TODO: remove this? + No longer used. + items: + type: string + type: array + defaultNodeSelector: + additionalProperties: + type: string + description: |- + Default k8s node selector for all the Istio control plane components + + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: object + defaultPodDisruptionBudget: + description: |- + Specifies the default pod disruption budget configuration. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + enabled: + description: Controls whether a PodDisruptionBudget with + a default minAvailable value of 1 is created for each + deployment. + type: boolean + type: object + defaultResources: + description: |- + Default k8s resources settings for all Istio control plane components. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + defaultTolerations: + description: |- + Default node tolerations to be applied to all deployments so that all pods can be + scheduled to nodes with matching taints. Each component can overwrite + these default values by adding its tolerations block in the relevant section below + and setting the desired values. + Configure this field in case that all pods of Istio control plane are expected to + be scheduled to particular nodes with specified taints. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + externalIstiod: + description: Controls whether one external istiod is enabled. + type: boolean + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + imagePullSecrets: + description: |- + ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + istioNamespace: + description: Specifies the default namespace for the Istio + control plane components. + type: string + istiod: + description: Specifies the configution of istiod + properties: + enableAnalysis: + description: If enabled, istiod will perform config analysis + type: boolean + type: object + jwtPolicy: + description: |- + Configure the policy for validating JWT. + This is deprecated and has no effect. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: string + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio control plane components. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + meshID: + description: |- + The Mesh Identifier. It should be unique within the scope where + meshes will interact with each other, but it is not required to be + globally/universally unique. For example, if any of the following are true, + then two meshes must have different Mesh IDs: + - Meshes will have their telemetry aggregated in one place + - Meshes will be federated together + - Policy will be written referencing one mesh from the other + + + If an administrator expects that any of these conditions may become true in + the future, they should ensure their meshes have different Mesh IDs + assigned. + + + Within a multicluster mesh, each cluster must be (manually or auto) + configured to have the same Mesh ID value. If an existing cluster 'joins' a + multicluster mesh, it will need to be migrated to the new mesh ID. Details + of migration TBD, and it may be a disruptive operation to change the Mesh + ID post-install. + + + If the mesh admin does not specify a value, Istio will use the value of the + mesh's Trust Domain. The best practice is to select a proper Trust Domain + value. + type: string + meshNetworks: + additionalProperties: + description: |- + Network provides information about the endpoints in a routable L3 + network. A single routable L3 network can have one or more service + registries. Note that the network has no relation to the locality of the + endpoint. The endpoint locality will be obtained from the service + registry. + properties: + endpoints: + description: |- + The list of endpoints in the network (obtained through the + constituent service registries or from CIDR ranges). All endpoints in + the network are directly accessible to one another. + items: + description: "NetworkEndpoints describes how the network + associated with an endpoint\nshould be inferred. + An endpoint will be assigned to a network based + on\nthe following rules:\n\n\n1. Implicitly: If + the registry explicitly provides information about\nthe + network to which the endpoint belongs to. In some + cases, its\npossible to indicate the network associated + with the endpoint by\nadding the `ISTIO_META_NETWORK` + environment variable to the sidecar.\n\n\n2. Explicitly:\n\n\n\ta. + By matching the registry name with one of the \"fromRegistry\"\n\tin + the mesh config. A \"from_registry\" can only be + assigned to a\n\tsingle network.\n\n\n\tb. By matching + the IP against one of the CIDR ranges in a mesh\n\tconfig + network. The CIDR ranges must not overlap and be + assigned to\n\ta single network.\n\n\n(2) will override + (1) if both are present." + properties: + fromCidr: + description: |- + A CIDR range for the set of endpoints in this network. The CIDR + ranges for endpoints from different networks must not overlap. + type: string + fromRegistry: + description: |- + Add all endpoints from the specified registry into this network. + The names of the registries should correspond to the kubeconfig file name + inside the secret that was used to configure the registry (Kubernetes + multicluster) or supplied by MCP server. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [fromCidr fromRegistry] + should be set + rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0) + <= 1 + type: array + gateways: + description: Set of gateways associated with the network. + items: + description: |- + The gateway associated with this network. Traffic from remote networks + will arrive at the specified gateway:port. All incoming traffic must + use mTLS. + properties: + address: + description: IP address or externally resolvable + DNS address associated with the gateway. + type: string + locality: + description: The locality associated with an explicitly + specified gateway (i.e. ip) + type: string + port: + format: int32 + type: integer + registryServiceName: + description: |- + A fully qualified domain name of the gateway service. Pilot will + lookup the service from the service registries in the network and + obtain the endpoint IPs of the gateway from the service + registry. Note that while the service name is a fully qualified + domain name, it need not be resolvable outside the orchestration + platform for the registry. e.g., this could be + istio-ingressgateway.istio-system.svc.cluster.local. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [registryServiceName address] + should be set + rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0) + <= 1 + type: array + type: object + description: "Configure the mesh networks to be used by the + Split Horizon EDS.\n\n\nThe following example defines two + networks with different endpoints association methods.\nFor + `network1` all endpoints that their IP belongs to the provided + CIDR range will be\nmapped to network1. The gateway for + this network example is specified by its public IP\naddress + and port.\nThe second network, `network2`, in this example + is defined differently with all endpoints\nretrieved through + the specified Multi-Cluster registry being mapped to network2. + The\ngateway is also defined differently with the name of + the gateway service on the remote\ncluster. The public IP + for the gateway will be determined from that remote service + (only\nLoadBalancer gateway service type is currently supported, + for a NodePort type gateway service,\nit still need to be + configured manually).\n\n\nmeshNetworks:\n\n\n\tnetwork1:\n\t + \ endpoints:\n\t - fromCidr: \"192.168.0.1/24\"\n\t gateways:\n\t + \ - address: 1.1.1.1\n\t port: 80\n\tnetwork2:\n\t endpoints:\n\t + \ - fromRegistry: reg1\n\t gateways:\n\t - registryServiceName: + istio-ingressgateway.istio-system.svc.cluster.local\n\t + \ port: 443" + type: object + mountMtlsCerts: + description: Controls whether the in-cluster MTLS key and + certs are loaded from the secret volume mounts. + type: boolean + multiCluster: + description: Specifies the Configuration for Istio mesh across + multiple clusters through Istio gateways. + properties: + clusterName: + description: |- + The name of the cluster this installation will run in. This is required for sidecar injection + to properly label proxies + type: string + enabled: + description: |- + Enables the connection between two kubernetes clusters via their respective ingressgateway services. + Use if the pods in each cluster cannot directly talk to one another. + type: boolean + globalDomainSuffix: + description: The suffix for global service names. + type: string + includeEnvoyFilter: + description: Enable envoy filter to translate `globalDomainSuffix` + to cluster local suffix for cross cluster communication. + type: boolean + type: object + network: + description: |- + Network defines the network this cluster belong to. This name + corresponds to the networks in the map of mesh networks. + type: string + omitSidecarInjectorConfigMap: + description: |- + Controls whether the creation of the sidecar injector ConfigMap should be skipped. + Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. + type: boolean + oneNamespace: + description: |- + Controls whether to restrict the applications namespace the controller manages; + If set it to false, the controller watches all namespaces. + type: boolean + operatorManageWebhooks: + description: |- + Controls whether the WebhookConfiguration resource(s) should be created. The current behavior + of Istiod is to manage its own webhook configurations. + When this option is set to true, Istio Operator, instead of webhooks, manages the + webhook configurations. When this option is set as false, webhooks manage their + own webhook configurations. + type: boolean + pilotCertProvider: + description: |- + Configure the Pilot certificate provider. + Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". + type: string + platform: + description: |- + Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" + An empty value means it is a vanilla Kubernetes distribution, therefore no special + treatment will be considered. + type: string + podDNSSearchNamespaces: + description: |- + Custom DNS config for the pod to resolve names of services in other + clusters. Use this to add additional search domains, and other settings. + see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + This does not apply to gateway pods as they typically need a different + set of DNS settings than the normal application pods (e.g. in multicluster scenarios). + items: + type: string + type: array + priorityClassName: + description: |- + Specifies the k8s priorityClassName for the istio control plane components. + + + See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: string + proxy: + description: Specifies how proxies are configured within Istio. + properties: + autoInject: + description: Controls the 'policy' in the sidecar injector. + type: string + clusterDomain: + description: |- + Domain for the cluster, default: "cluster.local". + + + K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ + type: string + componentLogLevel: + description: |- + Per Component log level for proxy, applies to gateways and sidecars. + + + If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. + type: string + enableCoreDump: + description: |- + Enables core dumps for newly injected sidecars. + + + If set, newly injected sidecars will have core dumps enabled. + type: boolean + excludeIPRanges: + description: Lists the excluded IP ranges of Istio egress + traffic that the sidecar captures. + type: string + excludeInboundPorts: + description: Specifies the Istio ingress ports not to + capture. + type: string + excludeOutboundPorts: + description: A comma separated list of outbound ports + to be excluded from redirection to Envoy. + type: string + holdApplicationUntilProxyStarts: + description: |- + Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + + + Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + image: + description: |- + Image name or path for the proxy, default: "proxyv2". + + + If registry or tag are not specified, global.hub and global.tag are used. + + + Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 + type: string + includeIPRanges: + description: |- + Lists the IP ranges of Istio egress traffic that the sidecar captures. + + + Example: "172.30.0.0/16,172.20.0.0/16" + This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar." + type: string + includeInboundPorts: + description: |- + A comma separated list of inbound ports for which traffic is to be redirected to Envoy. + The wildcard character '*' can be used to configure redirection for all ports. + type: string + includeOutboundPorts: + description: A comma separated list of outbound ports + for which traffic is to be redirected to Envoy, regardless + of the destination IP. + type: string + lifecycle: + description: |- + The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + postStart: + description: |- + PostStart is called immediately after a container is created. If the handler fails, + the container is terminated and restarted according to its restart policy. + Other management of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for the backward compatibility. There are no validation of this field and + lifecycle hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: |- + PreStop is called immediately before a container is terminated due to an + API request or management event such as liveness/startup probe failure, + preemption, resource contention, etc. The handler is not called if the + container crashes or exits. The Pod's termination grace period countdown begins before the + PreStop hook is executed. Regardless of the outcome of the handler, the + container will eventually terminate within the Pod's termination grace + period (unless delayed by finalizers). Other management of the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for the backward compatibility. There are no validation of this field and + lifecycle hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + logLevel: + description: 'Log level for proxy, applies to gateways + and sidecars. If left empty, "warning" is used. Expected + values are: trace\|debug\|info\|warning\|error\|critical\|off' + type: string + privileged: + description: |- + Enables privileged securityContext for the istio-proxy container. + + + See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + type: boolean + readinessFailureThreshold: + description: Sets the number of successive failed probes + before indicating readiness failure. + format: int32 + type: integer + readinessInitialDelaySeconds: + description: Sets the initial delay for readiness probes + in seconds. + format: int32 + type: integer + readinessPeriodSeconds: + description: Sets the interval between readiness probes + in seconds. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + startupProbe: + description: Configures the startup probe for the istio-proxy + container. + properties: + enabled: + description: |- + Enables or disables a startup probe. + For optimal startup times, changing this should be tied to the readiness probe values. + + + If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + and doesn't spam the readiness endpoint too much + + + If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + type: boolean + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + format: int32 + type: integer + type: object + statusPort: + description: Default port used for the Pilot agent's health + checks. + format: int32 + type: integer + tracer: + description: |- + Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + enum: + - zipkin + - lightstep + - datadog + - stackdriver + - openCensusAgent + - none + type: string + type: object + proxy_init: + description: Specifies the Configuration for proxy_init container + which sets the pods' networking to intercept the inbound/outbound + traffic. + properties: + image: + description: Specifies the image for the proxy_init container. + type: string + resources: + description: |- + K8s resources settings. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + remotePilotAddress: + description: Specifies the Istio control plane’s pilot Pod + IP address or remote cluster DNS resolvable hostname. + type: string + revision: + description: Configures the revision this control plane is + a part of + type: string + sds: + description: Specifies the Configuration for the SecretDiscoveryService + instead of using K8S secrets to mount the certificates. + properties: + token: + description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + properties: + aud: + type: string + type: object + type: object + sts: + description: Specifies the configuration for Security Token + Service. + properties: + servicePort: + format: int32 + type: integer + type: object + tag: + anyOf: + - type: integer + - type: string + description: Specifies the tag for the Istio docker images. + x-kubernetes-int-or-string: true + tracer: + description: Specifies the Configuration for each of the supported + tracers. + properties: + datadog: + description: Configuration for the datadog tracing service. + properties: + address: + description: Address in host:port format for reporting + trace data to the Datadog agent. + type: string + type: object + lightstep: + description: Configuration for the lightstep tracing service. + properties: + accessToken: + description: Sets the lightstep access token. + type: string + address: + description: Sets the lightstep satellite pool address + in host:port format for reporting trace data. + type: string + type: object + stackdriver: + description: Configuration for the stackdriver tracing + service. + properties: + debug: + description: enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: The global default max number of annotation + events per span. + format: int32 + type: integer + maxNumberOfAttributes: + description: The global default max number of attributes + per span. + format: int32 + type: integer + maxNumberOfMessageEvents: + description: The global default max number of message + events per span. + format: int32 + type: integer + type: object + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + + Example: .:941 + type: string + type: object + type: object + useMCP: + description: Controls whether to use of Mesh Configuration + Protocol to distribute configuration. + type: boolean + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + type: object + istiodRemote: + description: Configuration for istiod-remote. + properties: + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object + meshConfig: + description: |- + Defines runtime configuration of components, including Istiod and istio-agent behavior. + See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. + TODO can this import the real mesh config API? + properties: + accessLogEncoding: + description: |- + Encoding for the proxy access log (`TEXT` or `JSON`). + Default value is `TEXT`. + enum: + - TEXT + - JSON + type: string + accessLogFile: + description: |- + File address for the proxy access log (e.g. /dev/stdout). + Empty value disables access logging. + type: string + accessLogFormat: + description: |- + Format for the proxy access log + Empty value results in proxy's default access log format + type: string + ca: + description: |- + If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA + using the Istio CA gRPC API. + properties: + address: + description: |- + REQUIRED. Address of the CA server implementing the Istio CA gRPC API. + Can be IP address or a fully qualified DNS name with port + Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 + type: string + istiodSide: + description: |- + Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Default: true + type: boolean + requestTimeout: + description: |- + timeout for forward CSR requests from Istiod to External CA + Default: 10s + type: string + tlsSettings: + description: |- + Use the tls_settings to specify the tls mode to use. + Regarding tls_settings: + - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. + DISABLE MODE can also be used for testing + - TLS MUTUAL MODE be on by default. If the CA certificates + (cert bundle to verify the CA server's certificate) is omitted, Istiod will + use the system root certs to verify the CA server's certificate. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + required: + - address + type: object + caCertificates: + description: |- + The extra root certificates for workload-to-workload communication. + The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) + are automatically added by Istiod. + The CA certificate that signs the workload certificates is automatically added by Istio Agent. + items: + properties: + certSigners: + description: |- + when Istiod is acting as RA(registration authority) + If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. + items: + type: string + type: array + pem: + description: The PEM data of the certificate. + type: string + spiffeBundleUrl: + description: |- + The SPIFFE bundle endpoint URL that complies to: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle + The endpoint should support authentication based on Web PKI: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki + The certificate is retrieved from the endpoint. + type: string + trustDomains: + description: |- + Optional. Specify the list of trust domains to which this trustAnchor data belongs. + If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain + and its aliases. + Note that we can have multiple trustAnchor data for a same trust_domain. + In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. + If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. + If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. + If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. + If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: At most one of [pem spiffeBundleUrl] should be + set + rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0) + <= 1 + type: array + certificates: + description: |- + Configure the provision of certificates. + + + Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + description: "Certificate configures the provision of a + certificate and its key.\nExample 1: key and cert stored + in a secret\n```\n{ secretName: galley-cert\n\n\n\t secretNamespace: + istio-system\n\t dnsNames:\n\t - galley.istio-system.svc\n\t + \ - galley.mydomain.com\n\t}\n\n\n```\nExample 2: key + and cert stored in a directory\n```\n{ dnsNames:\n - + pilot.istio-system\n - pilot.istio-system.svc\n - pilot.mydomain.com\n + \ }\n\n\n```" + properties: + dnsNames: + description: |- + The DNS names for the certificate. A certificate may contain + multiple DNS names. + items: + type: string + type: array + secretName: + description: |- + Name of the secret the certificate and its key will be stored into. + If it is empty, it will not be stored into a secret. + Instead, the certificate and its key will be stored into a hard-coded directory. + type: string + type: object + type: array + configSources: + description: |- + ConfigSource describes a source of configuration data for networking + rules, and other Istio configuration artifacts. Multiple data sources + can be configured for a single control plane. + items: + description: |- + ConfigSource describes information about a configuration store inside a + mesh. A single control plane instance can interact with one or more data + sources. + properties: + address: + description: |- + Address of the server implementing the Istio Mesh Configuration + protocol (MCP). Can be IP address or a fully qualified DNS name. + Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or + fs:/// to specify a file-based backend with absolute path to the directory. + type: string + subscribedResources: + description: Describes the source of configuration, + if nothing is specified default is MCP + items: + description: Resource describes the source of configuration + enum: + - SERVICE_REGISTRY + type: string + type: array + tlsSettings: + description: |- + Use the tls_settings to specify the tls mode to use. If the MCP server + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + type: object + type: array + connectTimeout: + description: |- + Connection timeout used by Envoy. (MUST BE >=1ms) + Default timeout is 10s. + type: string + defaultConfig: + description: |- + Default proxy config used by gateway and sidecars. + In case of Kubernetes, the proxy config is applied once during the injection process, + and remain constant for the duration of the pod. The rest of the mesh config can be changed + at runtime and config gets distributed dynamically. + On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation. + properties: + availabilityZone: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + binaryPath: + description: Path to the proxy binary + type: string + caCertificatesPem: + description: |- + The PEM data of the extra root certificates for workload-to-workload communication. + This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. + The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) + are added automatically by Istiod. + items: + type: string + type: array + concurrency: + description: |- + The number of worker threads to run. + If unset, this will be automatically determined based on CPU requests/limits. + If set to 0, all cores on the machine will be used. + Default is 2 worker threads. + format: int32 + type: integer + configPath: + description: |- + Path to the generated configuration file directory. + Proxy agent generates the actual configuration and stores it in this directory. + type: string + controlPlaneAuthPolicy: + description: |- + AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. + Default is set to `MUTUAL_TLS`. + enum: + - NONE + - MUTUAL_TLS + - INHERIT + type: string + customConfigFile: + description: |- + File path of custom proxy configuration, currently used by proxies + in front of Mixer and Pilot. + type: string + discoveryAddress: + description: |- + Address of the discovery service exposing xDS with mTLS connection. + The inject configuration may override this value. + type: string + discoveryRefreshDelay: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + drainDuration: + description: |- + restart. MUST be >=1s (e.g., _1s/1m/1h_) + Default drain duration is `45s`. + type: string + envoyAccessLogService: + description: |- + Address of the service to which access logs from Envoys should be + sent. (e.g. `accesslog-service:15000`). See [Access Log + Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto) + for details about Envoy's gRPC Access Log Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tls_settings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + type: object + envoyMetricsService: + description: |- + Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`). + See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) + for details about Envoy's Metrics Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tls_settings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + type: object + envoyMetricsServiceAddress: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + extraStatTags: + description: |- + An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be + added by configuring the telemetry extension. Each additional tag needs to be present in this list. + Extra tags emitted by the telemetry extensions must be listed here so that they can be processed + and exposed as Prometheus metrics. + Deprecated: `istio.stats` is a native filter now, this field is no longer needed. + items: + type: string + type: array + gatewayTopology: + description: |- + Topology encapsulates the configuration which describes where the proxy is + located i.e. behind a (or N) trusted proxy (proxies) or directly exposed + to the internet. This configuration only effects gateways and is applied + to all the gateways in the cluster unless overridden via annotations of the + gateway workloads. + properties: + forwardClientCertDetails: + description: |- + Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) + header in the incoming request. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + numTrustedProxies: + description: |- + Number of trusted proxies deployed in front of the Istio gateway proxy. + When this option is set to value N greater than zero, the trusted client + address is assumed to be the Nth address from the right end of the + X-Forwarded-For (XFF) header from the incoming request. If the + X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the + gateway proxy falls back to using the immediate downstream connection's + source address as the trusted client address. + Note that the gateway proxy will append the downstream connection's source + address to the X-Forwarded-For (XFF) address and set the + X-Envoy-External-Address header to the trusted client address before + forwarding it to the upstream services in the cluster. + The default value of num_trusted_proxies is 0. + See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) + header handling for more details. + format: int32 + type: integer + proxyProtocol: + description: |- + Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for + downstream connections on a gateway. + type: object + type: object + holdApplicationUntilProxyStarts: + description: |- + Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. + This feature adds hooks to delay application startup until the pod proxy + is ready to accept traffic, mitigating some startup race conditions. + Default value is 'false'. + type: boolean + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: |- + The image type of the image. + Istio publishes default, debug, and distroless images. + Other values are allowed if those image types (example: centos) are published to the specified hub. + supported values: default, debug, distroless. + type: string + type: object + interceptionMode: + description: The mode used to redirect inbound traffic + to Envoy. + enum: + - REDIRECT + - TPROXY + - NONE + type: string + meshId: + description: |- + The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) + All control planes running in the same service mesh should specify the same mesh ID. + Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. + type: string + privateKeyProvider: + description: Specifies the details of the Private Key + Provider configuration for gateway and sidecar proxies. + properties: + cryptomb: + description: Use CryptoMb private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait until the per-thread processing queue should be processed. If the processing queue + gets full (eight sign or decrypt requests are received) it is processed immediately. + However, if the queue is not filled before the delay has expired, the requests already in the queue + are processed, even if the queue is not full. + In effect, this value controls the balance between latency and throughput. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + qat: + description: Use QAT private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait before polling the hardware accelerator after a request has been submitted there. + Having a small value leads to quicker answers from the hardware but causes more polling loop spins, + leading to potentially larger CPU usage. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [cryptomb qat] should be set + rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0) + <= 1 + proxyAdminPort: + description: |- + Port on which Envoy should listen for administrative commands. + Default port is `15000`. + format: int32 + type: integer + proxyBootstrapTemplatePath: + description: Path to the proxy bootstrap template file + type: string + proxyHeaders: + description: "Define the set of headers to add/modify + for HTTP request/responses.\n\n\nTo enable an optional + header, simply set the field. If no specific configuration + is required, an empty object (`{}`) will enable it.\nNote: + currently all headers are enabled by default.\n\n\nBelow + shows an example of customizing the `server` header + and disabling the `X-Envoy-Attempt-Count` header:\n\n\n```yaml\nproxyHeaders:\n\n\n\tserver:\n\t + \ value: \"my-custom-server\"\n\trequestId: {} // Explicitly + enable Request IDs. As this is the default, this has + no effect.\n\tattemptCount:\n\t disabled: true\n\n\n```\n\n\nSome + headers are enabled by default, and require explicitly + disabling. See below for an example of disabling all + default-enabled headers:\n\n\n```yaml\nproxyHeaders:\n\n\n\tforwardedClientCert: + SANITIZE\n\tserver:\n\t disabled: true\n\trequestId:\n\t + \ disabled: true\n\tattemptCount:\n\t disabled: true\n\tenvoyDebugHeaders:\n\t + \ disabled: true\n\tmetadataExchangeHeaders:\n\t mode: + IN_MESH\n\n\n```" + properties: + attemptCount: + description: |- + Controls the `X-Envoy-Attempt-Count` header. + If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. + If disabled, this header will not be set. If it is already present, it will be preserved. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + envoyDebugHeaders: + description: |- + Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time. If enabled, + these headers will be included. + If disabled, these headers will not be set. If they are already present, they will be preserved. + See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details. + These headers are enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + forwardedClientCert: + description: |- + Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. + To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). + By default, `APPEND_FORWARD` will be used. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + metadataExchangeHeaders: + description: |- + Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`. + By default, the behavior is unspecified. + If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh. + properties: + mode: + enum: + - UNDEFINED + - IN_MESH + type: string + type: object + requestId: + description: |- + Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. + This applies to all types of traffic (inbound, outbound, and gateways). + If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. + Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + server: + description: |- + Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). + If disabled, the `Server` header is not modified. If it is already present, it will be preserved. + properties: + disabled: + type: boolean + value: + description: If set, and the server header is + enabled, this value will be set as the server + header. By default, `istio-envoy` will be used. + type: string + type: object + type: object + proxyMetadata: + additionalProperties: + type: string + description: |- + Additional environment variables for the proxy. + Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server. + type: object + proxyStatsMatcher: + description: "Proxy stats matcher defines configuration + for reporting custom Envoy stats.\nTo reduce memory + and CPU overhead from Envoy stats system, Istio proxies + by\ndefault create and expose only a subset of Envoy + stats. This option is to\ncontrol creation of additional + Envoy stats with prefix, suffix, and regex\nexpressions + match on the name of the stats. This replaces the stats\ninclusion + annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`, + and\n`sidecar.istio.io/statsInclusionSuffixes`). For + example, to enable stats\nfor circuit breakers, request + retries, upstream connections, and request timeouts,\nyou + can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\n\tinclusionRegexps:\n\t + \ - .*outlier_detection.*\n\t - .*upstream_rq_retry.*\n\t + \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t - upstream_rq_timeout\n\n\n```\nNote + including more Envoy stats might increase number of + time series\ncollected by prometheus significantly. + Care needs to be taken on Prometheus\nresource provision + and configuration to reduce cardinality." + properties: + inclusionPrefixes: + description: Proxy stats name prefix matcher for inclusion. + items: + type: string + type: array + inclusionRegexps: + description: Proxy stats name regexps matcher for + inclusion. + items: + type: string + type: array + inclusionSuffixes: + description: Proxy stats name suffix matcher for inclusion. + items: + type: string + type: array + type: object + readinessProbe: + description: |- + VM Health Checking readiness probe. This health check config exactly mirrors the + kubernetes readiness probe configuration both in schema and logic. + Only one health check method of 3 can be set at a time. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a + GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to + perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: |- + Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after the processes running in the pod are sent + a termination signal and the time when the processes are forcibly halted with a kill signal. + Set this value longer than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates stop immediately via + the kill signal (no opportunity to shut down). + This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + runtimeValues: + additionalProperties: + type: string + description: |- + Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. + This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution. + type: object + sds: + description: |- + Secret Discovery Service(SDS) configuration to be used by the proxy. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + properties: + enabled: + description: True if SDS is enabled. + type: boolean + k8sSaJwtPath: + description: Path of k8s service account JWT path. + type: string + type: object + serviceCluster: + description: |- + Service cluster defines the name for the `service_cluster` that is + shared by all Envoy instances. This setting corresponds to + `--service-cluster` flag in Envoy. In a typical Envoy deployment, the + `service-cluster` flag is used to identify the caller, for + source-based routing scenarios. + + + Since Istio does not assign a local `service/service` version to each + Envoy instance, the name is same for all of them. However, the + source/caller's identity (e.g., IP address) is encoded in the + `--service-node` flag when launching Envoy. When the RDS service + receives API calls from Envoy, it uses the value of the `service-node` + flag to compute routes that are relative to the service instances + located at that IP address. + type: string + statNameLength: + description: |- + Maximum length of name field in Envoy's metrics. The length of the name field + is determined by the length of a name field in a service and the set of labels that + comprise a particular version of the service. The default value is set to 189 characters. + Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. + Increase the value of this field if you find that the metrics from Envoys are truncated. + format: int32 + type: integer + statsdUdpAddress: + description: IP Address and Port of a statsd UDP listener + (e.g. `10.75.241.127:9125`). + type: string + statusPort: + description: |- + Port on which the agent should listen for administrative commands such as readiness probe. + Default is set to port `15020`. + format: int32 + type: integer + terminationDrainDuration: + description: |- + The amount of time allowed for connections to complete on proxy shutdown. + On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start draining, + preventing any new connections and allowing existing connections to complete. It then + sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + If not set, a default of `5s` will be applied. + type: string + tracing: + description: Tracing configuration to be used by the proxy. + properties: + customTags: + additionalProperties: + description: |- + Configure custom tags that will be added to any active span. + Tags can be generated via literals, environment variables or an incoming request header. + properties: + environment: + description: |- + The custom tag's value should be populated from an environmental + variable + properties: + defaultValue: + description: |- + When the environment variable is not found, + the tag's value will be populated with this default value if specified, + otherwise the tag will not be populated. + type: string + name: + description: Name of the environment variable + used to populate the tag's value + type: string + type: object + header: + description: |- + The custom tag's value is populated by an http header from + an incoming request. + properties: + defaultValue: + description: |- + Default value to be used for the tag when the named HTTP header does not exist. + The tag will be skipped if no default value is provided. + type: string + name: + description: HTTP header name used to obtain + the value from to populate the tag value. + type: string + type: object + literal: + description: The custom tag's value is the specified + literal. + properties: + value: + description: Static literal value used to + populate the tag value. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [literal environment header] + should be set + rule: (has(self.literal)?1:0) + (has(self.environment)?1:0) + + (has(self.header)?1:0) <= 1 + description: "and gateways).\nThe key represents the + name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\n\tnew_tag_name:\n\t + \ header:\n\t name: custom-http-header-name\n\t + \ default_value: defaulted-value-from-custom-header\n\n\n```" + type: object + datadog: + description: Use a Datadog tracer. + properties: + address: + description: Address of the Datadog Agent. + type: string + type: object + lightstep: + description: |- + Use a Lightstep tracer. + NOTE: For Istio 1.15+, this configuration option will result + in using OpenTelemetry-based Lightstep integration. + properties: + accessToken: + description: The Lightstep access token. + type: string + address: + description: Address of the Lightstep Satellite + pool. + type: string + type: object + maxPathTagLength: + description: |- + Configures the maximum length of the request path to extract and include in the + HttpUrl tag. Used to truncate length request paths to meet the needs of tracing + backend. If not set, then a length of 256 will be used. + format: int32 + type: integer + openCensusAgent: + description: Use an OpenCensus tracer exporting to + an OpenCensus agent. + properties: + address: + description: |- + gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or + unix:path). See [gRPC naming + docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for + details. + type: string + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + type: object + sampling: + description: |- + The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, + if not requested by the client or not forced. Default is 1.0. + type: number + stackdriver: + description: Use a Stackdriver tracer. + properties: + debug: + description: debug enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + format: int64 + type: integer + type: object + tlsSettings: + description: |- + Use the tls_settings to specify the tls mode to use. If the remote tracing service + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + zipkin: + description: Use a Zipkin tracer. + properties: + address: + description: Address of the Zipkin service (e.g. + _zipkin:9411_). + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [zipkin lightstep datadog stackdriver + openCensusAgent] should be set + rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.openCensusAgent)?1:0) <= 1 + tracingServiceName: + description: |- + Used by Envoy proxies to assign the values for the service names in trace + spans. + enum: + - APP_LABEL_AND_NAMESPACE + - CANONICAL_NAME_ONLY + - CANONICAL_NAME_AND_NAMESPACE + type: string + zipkinAddress: + description: |- + Address of the Zipkin service (e.g. _zipkin:9411_). + DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [serviceCluster tracingServiceName] + should be set + rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0) + <= 1 + defaultDestinationRuleExportTo: + description: |- + The default value for the `DestinationRule.export_to` field. Has the same + syntax as `default_service_export_to`. + + + If not set the system will use "*" as the default value which implies that + destination rules are exported to all namespaces + items: + type: string + type: array + defaultHttpRetryPolicy: + description: "Configure the default HTTP retry policy.\nThe + default number of retry attempts is set at 2 for these errors:\n\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\n\nSetting + the number of attempts to 0 disables retry policy globally.\nThis + setting can be overridden on a per-host basis using the + Virtual Service\nAPI.\nAll settings in the retry policy + except `perTryTimeout` can currently be\nconfigured globally + via this field." + properties: + attempts: + description: |- + Number of retries to be allowed for a given request. The interval + between retries will be determined automatically (25ms+). When request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) + or `per_try_timeout` is configured, the actual number of retries attempted also depends on + the specified request `timeout` and `per_try_timeout` values. MUST BE >= 0. If `0`, retries will be disabled. + The maximum possible number of requests made will be 1 + `attempts`. + format: int32 + type: integer + perTryTimeout: + description: |- + Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms. + Default is same value as request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), + which means no timeout. + type: string + retryOn: + description: |- + Specifies the conditions under which retry takes place. + One or more policies can be specified using a ‘,’ delimited list. + If `retry_on` specifies a valid HTTP status, it will be added to retriable_status_codes retry policy. + See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) + and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details. + type: string + retryRemoteLocalities: + description: |- + Flag to specify whether the retries should retry to other localities. + See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details. + type: boolean + type: object + defaultProviders: + description: Specifies extension providers to use by default + in Istio configuration resources. + properties: + accessLogging: + description: Name of the default provider(s) for access + logging. + items: + type: string + type: array + metrics: + description: Name of the default provider(s) for metrics. + items: + type: string + type: array + tracing: + description: Name of the default provider(s) for tracing. + items: + type: string + type: array + type: object + defaultServiceExportTo: + description: |- + The default value for the ServiceEntry.export_to field and services + imported through container registry integrations, e.g. this applies to + Kubernetes Service resources. The value is a list of namespace names and + reserved namespace aliases. The allowed namespace aliases are: + ``` + * - All Namespaces + . - Current Namespace + ~ - No Namespace + ``` + If not set the system will use "*" as the default value which implies that + services are exported to all namespaces. + + + `All namespaces` is a reasonable default for implementations that don't + need to restrict access or visibility of services across namespace + boundaries. If that requirement is present it is generally good practice to + make the default `Current namespace` so that services are only visible + within their own namespaces by default. Operators can then expand the + visibility of services to other namespaces as needed. Use of `No Namespace` + is expected to be rare but can have utility for deployments where + dependency management needs to be precise even within the scope of a single + namespace. + + + For further discussion see the reference documentation for `ServiceEntry`, + `Sidecar`, and `Gateway`. + items: + type: string + type: array + defaultVirtualServiceExportTo: + description: |- + The default value for the VirtualService.export_to field. Has the same + syntax as `default_service_export_to`. + + + If not set the system will use "*" as the default value which implies that + virtual services are exported to all namespaces + items: + type: string + type: array + disableEnvoyListenerLog: + description: |- + This flag disables Envoy Listener logs. + See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) + Istio Enables Envoy's listener access logs on "NoRoute" response flag. + Default value is `false`. + type: boolean + discoverySelectors: + description: |- + A list of Kubernetes selectors that specify the set of namespaces that Istio considers when + computing configuration updates for sidecars. This can be used to reduce Istio's computational load + by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. + If omitted, Istio will use the default behavior of processing all namespaces in the cluster. + Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. + The following example selects any namespace that matches either below: + 1. The namespace has both of these labels: `env: prod` and `region: us-east1` + 2. The namespace has label `app` equal to `cassandra` or `spark`. + ```yaml + discoverySelectors: + - matchLabels: + env: prod + region: us-east1 + - matchExpressions: + - key: app + operator: In + values: + - cassandra + - spark + + + ``` + Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) + for additional detail on selector semantics. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + dnsRefreshRate: + description: |- + Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` + Default refresh rate is `60s`. + type: string + enableAutoMtls: + description: |- + This flag is used to enable mutual `TLS` automatically for service to service communication + within the mesh, default true. + If set to true, and a given service does not have a corresponding `DestinationRule` configured, + or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side + TLS configuration appropriately. More specifically, + If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate + for mutual `TLS` to connect to upstream. + If upstream service is in plain text mode, use plain text. + If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use + mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. + If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. + type: boolean + enableEnvoyAccessLogService: + description: |- + This flag enables Envoy's gRPC Access Log Service. + See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) + for details about Envoy's gRPC Access Log Service API. + Default value is `false`. + type: boolean + enablePrometheusMerge: + description: |- + If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy + and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod + and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. + This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and + `prometheus.io/path` annotations. + If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. + In this case, it is recommended to disable aggregation on that deployment with the + `prometheus.istio.io/merge-metrics: "false"` annotation. + If not specified, this will be enabled by default. + type: boolean + enableTracing: + description: |- + Flag to control generation of trace spans and request IDs. + Requires a trace span collector defined in the proxy configuration. + type: boolean + extensionProviders: + description: |- + Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy + can be used with an extension provider to delegate the authorization decision to a custom authorization system. + items: + properties: + datadog: + description: Configures a Datadog tracing provider. + properties: + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Datadog agent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com". + type: string + required: + - port + - service + type: object + envoyExtAuthzGrpc: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the gRPC API. + properties: + failOpen: + description: |- + If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. + type: boolean + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the + fail_open is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + type: boolean + type: object + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `fail_open` field. + type: string + required: + - port + - service + type: object + envoyExtAuthzHttp: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the HTTP API. + properties: + failOpen: + description: |- + If true, the user request will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false and the request will be rejected with "Forbidden" response. + type: boolean + headersToDownstreamOnAllow: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is allowed (HTTP code 200). + If not specified, the original response will not be modified and forwarded to downstream as-is. + Note, any existing headers will be overridden. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToDownstreamOnDeny: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is not allowed (HTTP code other than 200). + If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to + the downstream. + When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are + automatically added. + Note, the body from the authorization service is always included in the response to downstream. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToUpstreamOnAllow: + description: |- + List of headers from the authorization service that should be added or overridden in the original request and + forwarded to the upstream when the authorization check result is allowed (HTTP code 200). + If not specified, the original request will not be modified and forwarded to backend as-is. + Note, any existing headers will be overridden. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + includeAdditionalHeadersInCheck: + additionalProperties: + type: string + description: |- + Set of additional fixed headers that should be included in the authorization request sent to the authorization service. + Key is the header name and value is the header value. + Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + type: object + includeHeadersInCheck: + description: |- + DEPRECATED. Use include_request_headers_in_check instead. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + type: string + type: array + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the + fail_open is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + type: boolean + type: object + includeRequestHeadersInCheck: + description: |- + List of client request headers that should be included in the authorization request sent to the authorization service. + Note that in addition to the headers specified here following headers are included by default: + 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. + 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization + request can include the buffered client request body (controlled by include_request_body_in_check setting), + consequently the value of Content-Length of the authorization request reflects the size of its payload size. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + pathPrefix: + description: |- + Sets a prefix to the value of authorization request header *Path*. + For example, setting this to "/check" for an original user request at path "/admin" will cause the + authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `fail_open` field. + type: string + required: + - port + - service + type: object + envoyFileAccessLog: + description: Configures an Envoy File Access Log provider. + properties: + logFormat: + description: Optional. Allows overriding of the + default access log format. + properties: + labels: + additionalProperties: + type: string + description: "JSON structured format for the + envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse + `labels: {}` for default envoy JSON log format.\n\n\nExample:\n```\nlabels:\n\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + + NOTE: Istio will insert a newline ('\n') on all formats (if missing). + + + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + x-kubernetes-validations: + - message: At most one of [text labels] should be + set + rule: (has(self.text)?1:0) + (has(self.labels)?1:0) + <= 1 + path: + description: |- + Path to a local file to write the access log entries. + This may be used to write to streams, via `/dev/stderr` and `/dev/stdout` + If unspecified, defaults to `/dev/stdout`. + type: string + type: object + envoyHttpAls: + description: Configures an Envoy Access Logging Service + provider for HTTP traffic. + properties: + additionalRequestHeadersToLog: + description: Optional. Additional request headers + to log. + items: + type: string + type: array + additionalResponseHeadersToLog: + description: Optional. Additional response headers + to log. + items: + type: string + type: array + additionalResponseTrailersToLog: + description: Optional. Additional response trailers + to log. + items: + type: string + type: array + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "http_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyOtelAls: + description: Configures an Envoy Open Telemetry Access + Logging Service provider. + properties: + logFormat: + description: |- + Optional. Format for the proxy access log + Empty value results in proxy's default access log format, following Envoy access logging formatting. + properties: + labels: + additionalProperties: + type: string + description: "Optional. Additional attributes + that describe the specific event occurrence.\nStructured + format for the envoy access logs. Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias + to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\n\nExample:\n```\nlabels:\n\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "otel_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyTcpAls: + description: Configures an Envoy Access Logging Service + provider for TCP traffic. + properties: + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "tcp_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + lightstep: + description: |- + Configures a Lightstep tracing provider. + Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027 + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + accessToken: + description: The Lightstep access token. + type: string + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Lightstep collector. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com". + type: string + required: + - port + - service + type: object + name: + description: REQUIRED. A unique name identifying the + extension provider. + type: string + opencensus: + description: |- + Configures an OpenCensusAgent tracing provider. + Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/ + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the OpenCensusAgent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com". + type: string + required: + - port + - service + type: object + opentelemetry: + description: Configures an OpenTelemetry tracing provider. + properties: + http: + description: "Optional. Specifies the configuration + for exporting OTLP traces via HTTP.\nWhen empty, + traces will be exported via gRPC.\n\n\nThe following + example shows how to configure the OpenTelemetry + ExtensionProvider to export via HTTP:\n\n\n1. + Add/change the OpenTelemetry extension provider + in `MeshConfig`\n```yaml\n - name: otel-tracing\n + \ opentelemetry:\n port: 443\n service: + my.olly-backend.com\n http:\n path: \"/api/otlp/traces\"\n + \ timeout: 10s\n headers:\n - name: \"my-custom-header\"\n + \ value: \"some value\"\n\n\n```\n\n\n2. Deploy + a `ServiceEntry` for the observability back-end\n```yaml\napiVersion: + networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\n\tname: + my-olly-backend\n\n\nspec:\n\n\n\thosts:\n\t- + my.olly-backend.com\n\tports:\n\t- number: 443\n\t + \ name: https-port\n\t protocol: HTTPS\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n\n---\napiVersion: + networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\n\tname: + my-olly-backend\n\n\nspec:\n\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t + \ portLevelSettings:\n\t - port:\n\t number: + 443\n\t tls:\n\t mode: SIMPLE\n\n\n```" + properties: + headers: + description: |- + Optional. Allows specifying custom HTTP headers that will be added + to each HTTP request sent. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + path: + description: REQUIRED. Specifies the path on + the service. + type: string + timeout: + description: |- + Optional. Specifies the timeout for the HTTP request. + If not specified, the default is 3s. + type: string + required: + - path + type: object + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + resourceDetectors: + description: |- + Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) + to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged + according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). + + + The following example shows how to configure the Environment Resource Detector, that will + read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: + + + ```yaml + - name: otel-tracing + opentelemetry: + port: 443 + service: my.olly-backend.com + resource_detectors: + environment: {} + + + ``` + properties: + dynatrace: + description: |- + Dynatrace Resource Detector. + The resource detector reads from the Dynatrace enrichment files + and adds host/process related attributes to the OpenTelemetry resource. + + + See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files) + type: object + environment: + description: |- + OpenTelemetry Environment Resource Detector. + The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES` + and adds them to the OpenTelemetry resource. + + + See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable) + type: object + type: object + service: + description: |- + REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". + type: string + required: + - port + - service + type: object + prometheus: + description: Configures a Prometheus metrics provider. + type: object + skywalking: + description: Configures a Apache SkyWalking provider. + properties: + accessToken: + description: Optional. The SkyWalking OAP access + token. + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the SkyWalking receiver. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com". + type: string + required: + - port + - service + type: object + stackdriver: + description: Configures a Stackdriver provider. + properties: + debug: + description: |- + debug enables trace output to stdout. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + logging: + description: Optional. Controls Stackdriver logging + behavior. + properties: + labels: + additionalProperties: + type: string + description: "Collection of tag names and tag + expressions to include in the log\nentry. + Conflicts are resolved by the tag name by + overriding previously\nsupplied values.\n\n\nExample:\n\n\n\tlabels:\n\t + \ path: request.url_path\n\t foo: request.headers['x-foo']" + type: object + type: object + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + type: object + zipkin: + description: Configures a tracing provider that uses + the Zipkin API. + properties: + enable64bitTraceId: + description: |- + Optional. A 128 bit trace id will be used in Istio. + If true, will result in a 64 bit trace id being used. + type: boolean + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that the Zipkin API. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". + type: string + required: + - port + - service + type: object + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc + zipkin lightstep datadog stackdriver opencensus skywalking + opentelemetry prometheus envoyFileAccessLog envoyHttpAls + envoyTcpAls envoyOtelAls] should be set + rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) + <= 1 + maxItems: 1000 + type: array + h2UpgradePolicy: + description: |- + Specify if http1.1 connections should be upgraded to http2 by default. + if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`. + If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`. + It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override. + enum: + - DO_NOT_UPGRADE + - UPGRADE + type: string + inboundClusterStatName: + description: |- + Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `inbound|||`. + For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + + - `%SERVICE%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%TARGET_PORT%` - Will be substituted with the target port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + + + Following are some examples of supported patterns for reviews: + + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + inboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling inbound + traffic to the application. If your application listens on + localhost, you will need to set this to `LOCALHOST`. + properties: + mode: + enum: + - PASSTHROUGH + - LOCALHOST + type: string + type: object + ingressClass: + description: |- + Class of ingress resources to be processed by Istio ingress + controller. This corresponds to the value of + `kubernetes.io/ingress.class` annotation. + type: string + ingressControllerMode: + description: |- + Defines whether to use Istio ingress controller for annotated or all ingress resources. + Default mode is `STRICT`. + enum: + - UNSPECIFIED + - "OFF" + - DEFAULT + - STRICT + type: string + ingressSelector: + description: |- + Defines which gateway deployment to use as the Ingress controller. This field corresponds to + the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. + By default, `ingressgateway` is used, which will select the default IngressGateway as it has the + `istio: ingressgateway` labels. + It is recommended that this is the same value as ingress_service. + type: string + ingressService: + description: |- + Name of the Kubernetes service used for the istio ingress controller. + If no ingress controller is specified, the default value `istio-ingressgateway` is used. + type: string + localityLbSetting: + description: |- + Locality based load balancing distribution or failover settings. + If unspecified, locality based load balancing will be enabled by default. + However, this requires outlierDetection to actually take effect for a particular + service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ + properties: + distribute: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify loadbalancing weight across different zones and geographical locations. + Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) + If empty, the locality weight is set according to the endpoints number within it. + items: + description: |- + Describes how traffic originating in the 'from' zone or sub-zone is + distributed over a set of 'to' zones. Syntax for specifying a zone is + {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any + segment of the specification. Examples: + + + `*` - matches all localities + + + `us-west/*` - all zones and sub-zones within the us-west region + + + `us-west/zone-1/*` - all sub-zones within us-west/zone-1 + properties: + from: + description: Originating locality, '/' separated, + e.g. 'region/zone/sub_zone'. + type: string + to: + additionalProperties: + format: int32 + type: integer + description: |- + Map of upstream localities to traffic distribution weights. The sum of + all weights should be 100. Any locality not present will + receive no traffic. + type: object + type: object + type: array + enabled: + description: |- + enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is. + type: boolean + failover: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. + Should be used together with OutlierDetection to detect unhealthy endpoints. + Note: if no OutlierDetection specified, this will not take effect. + items: + description: |- + Specify the traffic failover policy across regions. Since zone and sub-zone + failover is supported by default this only needs to be specified for + regions when the operator needs to constrain traffic failover so that + the default behavior of failing over to any endpoint globally does not + apply. This is useful when failing over traffic across regions would not + improve service health or may need to be restricted for other reasons + like regulatory controls. + properties: + from: + description: Originating region. + type: string + to: + description: |- + Destination region the traffic will fail over to when endpoints in + the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: |- + failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + This is to support traffic failover across different groups of endpoints. + Two kinds of labels can be specified: + + + - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints. + Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified: + + + 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + + - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints. + Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified: + + + 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + + Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. + + + It can be any label specified on both client and server workloads. + The following labels which have special semantic meaning are also supported: + + + - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. + - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. + - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. + - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. + - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. + + + The below topology config indicates the following priority levels: + + + ```yaml + failoverPriority: + - "topology.istio.io/network" + - "topology.kubernetes.io/region" + - "topology.kubernetes.io/zone" + - "topology.istio.io/subzone" + ``` + + + 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. + 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. + 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. + 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. + 5. all the other endpoints have the same lowest priority. + + + Suppose a service associated endpoints reside in multi clusters, the below example represents: + 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority. + 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority. + 2. all the other endpoints have P(2) priority. + + + ```yaml + failoverPriority: + - "version=v1" + - "topology.istio.io/cluster=clusterA" + ``` + + + Optional: only one of distribute, failover or failoverPriority can be set. + And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect. + items: + type: string + type: array + type: object + meshMTLS: + description: "The below configuration parameters can be used + to specify TLSConfig for mesh traffic.\nFor example, a user + could enable min TLS version for ISTIO_MUTUAL traffic and + specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\n\tmeshMTLS:\n\t + \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t Note: + applicable only for non ISTIO_MUTUAL scenarios\n\t ecdhCurves:\n\t + \ - P-256\n\t - P-512\n\n\n```\nConfiguration of mTLS + for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\n\nNote: + Mesh mTLS does not respect ECDH curves." + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + outboundClusterStatName: + description: |- + Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `outbound|||`. + For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + + - `%SERVICE%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + - `%SUBSET_NAME%` - Will be substituted with subset. + + + Following are some examples of supported patterns for reviews: + + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + outboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling outbound + traffic from the application. If your application uses one or + more external services that are not known apriori, setting the + policy to `ALLOW_ANY` will cause the sidecars to route any unknown + traffic originating from the application to its requested + destination. Users are strongly encouraged to use ServiceEntries + to explicitly declare any external dependencies, instead of using + `ALLOW_ANY`, so that traffic to these services can be + monitored. Can be overridden at a Sidecar level by setting the + `OutboundTrafficPolicy` in the [Sidecar + API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy). + Default mode is `ALLOW_ANY` which means outbound traffic to unknown destinations will be allowed. + properties: + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + pathNormalization: + description: |- + ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are + normalized by the sidecars and gateways. + The normalized paths will be used in all aspects through the requests' lifetime on the + sidecars and gateways, which includes routing decisions in outbound direction (client proxy), + authorization policy match and enforcement in inbound direction (server proxy), and the URL + path proxied to the upstream service. + If not set, the NormalizationType.DEFAULT configuration will be used. + properties: + normalization: + enum: + - DEFAULT + - NONE + - BASE + - MERGE_SLASHES + - DECODE_AND_MERGE_SLASHES + type: string + type: object + protocolDetectionTimeout: + description: |- + Automatic protocol detection uses a set of heuristics to + determine whether the connection is using TLS or not (on the + server side), as well as the application protocol being used + (e.g., http vs tcp). These heuristics rely on the client sending + the first bits of data. For server first protocols like MySQL, + MongoDB, etc. Envoy will timeout on the protocol detection after + the specified period, defaulting to non mTLS plain TCP + traffic. Set this field to tweak the period that Envoy will wait + for the client to send the first bits of data. (MUST BE >=1ms or + 0s to disable). Default detection timeout is 0s (no timeout). + + + Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit + occasionally, and when they occur the result is typically broken traffic that may not + recover on its own. Exceptionally high values might solve this, but injecting 60s delays + onto new connections is generally not tenable anyways. + type: string + proxyHttpPort: + description: Port on which Envoy should listen for HTTP PROXY + requests if set. + format: int32 + type: integer + proxyInboundListenPort: + description: |- + Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. + Default port is 15006. + format: int32 + type: integer + proxyListenPort: + description: |- + Port on which Envoy should listen for all outbound traffic to other services. + Default port is 15001. + format: int32 + type: integer + rootNamespace: + description: |- + The namespace to treat as the administrative root namespace for + Istio configuration. When processing a leaf namespace Istio will search for + declarations in that namespace first and if none are found it will + search in the root namespace. Any matching declaration found in the root + namespace is processed as if it were declared in the leaf namespace. + + + The precise semantics of this processing are documented on each resource + type. + type: string + serviceSettings: + description: Settings to be applied to select services. + items: + description: |- + Settings to be applied to select services. + + + For example, the following configures all services in namespace "foo" as well as the + "bar" service in namespace "baz" to be considered cluster-local: + + + ```yaml + serviceSettings: + - settings: + cluster_local: true + hosts: + - "*.foo.svc.cluster.local" + - "bar.baz.svc.cluster.local" + + + ``` + properties: + hosts: + description: |- + The services to which the Settings should be applied. Services are selected using the hostname + matching rules used by DestinationRule. + + + For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local + items: + type: string + type: array + settings: + description: The settings to apply to the selected services. + properties: + clusterLocal: + description: |- + If true, specifies that the client and service endpoints must reside in the same cluster. + By default, in multi-cluster deployments, the Istio control plane assumes all service + endpoints to be reachable from any client in any of the clusters which are part of the + mesh. This configuration option limits the set of service endpoints visible to a client + to be cluster scoped. + + + There are some common scenarios when this can be useful: + + + - A service (or group of services) is inherently local to the cluster and has local storage + for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). + - A mesh administrator wants to slowly migrate services to Istio. They might start by first + having services cluster-local and then slowly transition them to mesh-wide. They could do + this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group + (e.g. *.myns.svc.cluster.local). + + + By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all + services in the kube-system namespace to be cluster-local, unless explicitly overridden here. + type: boolean + type: object + type: object + type: array + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the socket + to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsDefaults: + description: |- + Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. + Currently, this supports configuration of ecdh_curves and cipher_suites only. + For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + trustDomain: + description: |- + The trust domain corresponds to the trust root of a system. + Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) + type: string + trustDomainAliases: + description: |- + The trust domain aliases represent the aliases of `trust_domain`. + For example, if we have + ```yaml + trustDomain: td1 + trustDomainAliases: ["td2", "td3"] + ``` + Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, + or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. + items: + type: string + type: array + verifyCertificateAtClient: + description: |- + `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation + at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination + modes are used. This setting can be overridden at the host level via DestinationRule API. + By default, `VerifyCertificateAtClient` is `true`. + + + `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset, + and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and + `VerifyCertificateAtClient` is false, proxy will not verify the CA. + + + `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset, + and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs. + If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs. + + + For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level + wildcard if the specified host in DestinationRule doesn't contain a wildcard. + For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will + match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate. + For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, + if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches + “.x.y.com` suffix. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + type: object + pilot: + description: Configuration for the Pilot component. + properties: + affinity: + description: K8s affinity to set on the Pilot Pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + autoscaleBehavior: + description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + properties: + scaleDown: + description: |- + scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down to minReplicas pods, with a + 300 second stabilization window (i.e., the highest recommendation for + the last 300sec is used). + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + type: object + scaleUp: + description: |- + scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: + * increase no more than 4 pods per 60 seconds + * double the number of pods per 60 seconds + No stabilization is used. + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + type: object + type: object + autoscaleEnabled: + description: Controls whether a HorizontalPodAutoscaler is + installed for Pilot. + type: boolean + autoscaleMax: + description: Maximum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + autoscaleMin: + description: Minimum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + cni: + description: Configures whether to use an existing CNI installation + for workloads + properties: + chained: + description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + type: boolean + enabled: + description: Controls whether CNI should be used. + type: boolean + provider: + description: |- + Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation + `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition + type: string + type: object + configMap: + description: |- + Configuration settings passed to Pilot as a ConfigMap. + + + This controls whether the mesh config map, generated from values.yaml is generated. + If false, pilot wil use default values or user-supplied values, in that order of preference. + type: boolean + configNamespace: + description: Namespace that the configuration management feature + is installed into, if different from Pilot namespace. + type: string + configSource: + description: |- + ConfigSource describes a source of configuration data for networking + rules, and other Istio configuration artifacts. Multiple data sources + can be configured for a single control plane. + properties: + subscribedResources: + description: Describes the source of configuration, if + nothing is specified default is MCP. + items: + type: string + type: array + type: object + cpu: + description: |- + Target CPU utilization used in HorizontalPodAutoscaler. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + deploymentLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot deployment. + + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + enableProtocolSniffingForInbound: + description: |- + Specifies whether protocol sniffing is enabled for inbound traffic. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + enableProtocolSniffingForOutbound: + description: |- + Specifies whether protocol sniffing is enabled for outbound traffic. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + enabled: + description: Controls whether Pilot is enabled. + type: boolean + env: + additionalProperties: + type: string + description: "Environment variables passed to the Pilot container.\n\n\nExamples:\nenv:\n\n\n\tENV_VAR_1: + value1\n\tENV_VAR_2: value2" + type: object + extraContainerArgs: + description: Additional container arguments for the Pilot + container. + items: + type: string + type: array + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name used for Pilot. + + + This can be set either to image name if hub is also set, or can be set to the full hub:name string. + + + Examples: custom-pilot, docker.io/someuser:custom-pilot + type: string + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + jwksResolverExtraRootCA: + description: |- + Specifies an extra root certificate in PEM format. This certificate will be trusted + by pilot when resolving JWKS URIs. + type: string + keepaliveMaxServerConnectionAge: + description: |- + Maximum duration that a sidecar can be connected to a pilot. + + + This setting balances out load across pilot instances, but adds some resource overhead. + + + Examples: 300s, 30m, 1h + type: string + memory: + description: |- + Target memory utilization used in HorizontalPodAutoscaler. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + K8s node selector. + + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: object + podAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for pods. + + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: object + podLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot pods. + + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + replicaCount: + description: |- + Number of replicas in the Pilot Deployment. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + rollingMaxSurge: + anyOf: + - type: integer + - type: string + description: |- + K8s rolling update strategy + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + x-kubernetes-int-or-string: true + rollingMaxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The number of pods that can be unavailable during a rolling update (see + `strategy.rollingUpdate.maxUnavailable` here: + https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). + May be specified as a number of pods or as a percent of the total number + of pods at the start of the update. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + x-kubernetes-int-or-string: true + seccompProfile: + description: |- + The seccompProfile for the Pilot container. + + + See: https://kubernetes.io/docs/tutorials/security/seccomp/ + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + serviceAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for the Service. + + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + tag: + anyOf: + - type: integer + - type: string + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + x-kubernetes-int-or-string: true + tolerations: + description: |- + The node tolerations to be applied to the Pilot deployment so that it can be + scheduled to particular nodes with matching taints. + More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: The k8s topologySpreadConstraints for the Pilot + pods. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + traceSampling: + description: |- + Trace sampling fraction. + + + Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. + + + Allowed values: 0.0 to 1.0 + type: number + useMCP: + description: |- + Controls whether Pilot is configured through the Mesh Control Protocol (MCP). + + + If set to true, Pilot requires an MCP server (like Galley) to be installed. + type: boolean + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + volumeMounts: + description: Additional volumeMounts to add to the Pilot container. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + + If ReadOnly is false, this field has no meaning and must be unspecified. + + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + description: Additional volumes to add to the Pilot Pod. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md + properties: + endpoints: + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + profile: + description: Specifies which installation configuration profile + to apply. + type: string + revision: + description: Identifies the revision this installation is associated + with. + type: string + revisionTags: + description: |- + Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration + is created for each alias. + items: + type: string + type: array + sidecarInjectorWebhook: + description: Configuration for the sidecar injector webhook. + properties: + alwaysInjectSelector: + description: See NeverInjectSelector. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + defaultTemplates: + description: 'defaultTemplates: ["sidecar", "hello"]' + items: + type: string + type: array + enableNamespacesByDefault: + description: Enables sidecar auto-injection in namespaces + by default. + type: boolean + injectedAnnotations: + additionalProperties: + type: string + description: |- + injectedAnnotations are additional annotations that will be added to the pod spec after injection + This is primarily to support PSP annotations. + type: object + injectionURL: + description: Configure the injection url for sidecar injector + webhook + type: string + neverInjectSelector: + description: |- + Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods. + + + Annotations in the pods have higher precedence than the label selectors. + Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy. + See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + reinvocationPolicy: + description: 'Setting this to `IfNeeded` will result in the + sidecar injector being run again if additional mutations + occur. Default: Never' + type: string + rewriteAppHTTPProbe: + description: If true, webhook or istioctl injector will rewrite + PodSpec for liveness health check to redirect request to + sidecar. This makes liveness check work even when mTLS is + enabled. + type: boolean + templates: + additionalProperties: + type: string + description: "Templates defines a set of custom injection + templates that can be used. For example, defining:\n\n\ntemplates:\n\n\n\thello: + |\n\t metadata:\n\t labels:\n\t hello: world\n\n\nThen + starting a pod with the `inject.istio.io/templates: hello` + annotation, will result in the pod\nbeing injected with + the hello=world labels.\nThis is intended for advanced configuration + only; most users should use the built in template" + type: object + useLegacySelectors: + description: |- + If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook + requests in Istiod, rather than at the webhook selection level. + This is option is intended for migration purposes only and will be removed in Istio 1.10. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + type: object + telemetry: + description: Controls whether telemetry is exported for Pilot. + properties: + enabled: + description: Controls whether telemetry is exported for Pilot. + type: boolean + v2: + description: Configuration for Telemetry v2. + properties: + enabled: + description: Controls whether pilot will configure telemetry + v2. + type: boolean + prometheus: + description: Telemetry v2 settings for prometheus. + properties: + enabled: + description: Controls whether stats envoyfilter would + be enabled or not. + type: boolean + type: object + stackdriver: + description: Telemetry v2 settings for stackdriver. + properties: + enabled: + type: boolean + type: object + type: object + type: object + type: object + version: + description: |- + Defines the version of Istio to install. + Must be one of: v1.22.3, v1.22.2, v1.22.1, v1.22.0, v1.21.5, v1.21.4, v1.21.3, v1.21.2, v1.21.0, latest. + enum: + - v1.22.3 + - v1.22.2 + - v1.22.1 + - v1.22.0 + - v1.21.5 + - v1.21.4 + - v1.21.3 + - v1.21.2 + - v1.21.0 + - latest + type: string + required: + - namespace + - version + type: object + x-kubernetes-validations: + - message: spec.values.global.istioNamespace must match spec.namespace + rule: self.values.global.istioNamespace == self.__namespace__ + status: + description: IstioRevisionStatus defines the observed state of IstioRevision + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: IstioRevisionCondition represents a specific observation + of the IstioRevision object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + IstioRevision object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + state: + description: Reports the current state of the object. + type: string + type: object + type: object + x-kubernetes-validations: + - message: spec.values.revision must match metadata.name + rule: 'self.metadata.name == ''default'' ? (!has(self.spec.values.revision) + || size(self.spec.values.revision) == 0) : self.spec.values.revision == + self.metadata.name' + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istios.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istios.yaml new file mode 100644 index 00000000000..40b788896b2 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/operator.istio.io_istios.yaml @@ -0,0 +1,8193 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + creationTimestamp: null + name: istios.operator.istio.io +spec: + group: operator.istio.io + names: + categories: + - istio-io + kind: Istio + listKind: IstioList + plural: istios + singular: istio + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Total number of IstioRevision objects currently associated with + this object. + jsonPath: .status.revisions.total + name: Revisions + type: string + - description: Number of revisions that are ready. + jsonPath: .status.revisions.ready + name: Ready + type: string + - description: Number of revisions that are currently being used by workloads. + jsonPath: .status.revisions.inUse + name: In use + type: string + - description: The current state of the active revision. + jsonPath: .status.state + name: Active Revision + type: string + - description: The version of the control plane installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Istio represents an Istio Service Mesh deployment consisting of one or more + control plane instances (represented by one or more IstioRevision objects). + To deploy an Istio Service Mesh, a user creates an Istio object with the + desired Istio version and configuration. The operator then creates + an IstioRevision object, which in turn creates the underlying Deployment + objects for istiod and other control plane components, similar to how a + Deployment object in Kubernetes creates ReplicaSets that create the Pods. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + default: + namespace: istio-system + updateStrategy: + type: InPlace + version: v1.22.3 + description: IstioSpec defines the desired state of Istio + properties: + namespace: + default: istio-system + description: Namespace to which the Istio components should be installed. + type: string + profile: + description: |- + The built-in installation configuration profile to use. + The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. + Must be one of: ambient, default, demo, empty, external, minimal, openshift-ambient, openshift, preview, remote, stable. + enum: + - ambient + - default + - demo + - empty + - external + - minimal + - openshift-ambient + - openshift + - preview + - remote + - stable + type: string + updateStrategy: + default: + type: InPlace + description: Defines the update strategy to use when the version in + the Istio CR is updated. + properties: + inactiveRevisionDeletionGracePeriodSeconds: + description: |- + Defines how many seconds the operator should wait before removing a non-active revision after all + the workloads have stopped using it. You may want to set this value on the order of minutes. + The minimum and the default value is 30. + format: int64 + minimum: 30 + type: integer + type: + default: InPlace + description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\". + When the \"InPlace\" strategy\nis used, the existing Istio control + plane is updated in-place. The workloads therefore\ndon't need + to be moved from one control plane instance to another. When + the \"RevisionBased\"\nstrategy is used, a new Istio control + plane instance is created for every change to the\nIstio.spec.version + field. The old control plane remains in place until all workloads + have\nbeen moved to the new control plane instance.\n\n\nThe + \"InPlace\" strategy is the default.\tTODO: change default to + \"RevisionBased\"" + enum: + - InPlace + - RevisionBased + type: string + updateWorkloads: + description: |- + Defines whether the workloads should be moved from one control plane instance to another + automatically. If updateWorkloads is true, the operator moves the workloads from the old + control plane instance to the new one after the new control plane is ready. + If updateWorkloads is false, the user must move the workloads manually by updating the + istio.io/rev labels on the namespace and/or the pods. + Defaults to false. + type: boolean + type: object + values: + description: Defines the values to be passed to the Helm charts when + installing Istio. + properties: + base: + description: Configuration for the base component. + properties: + validationURL: + description: URL to use for validating webhook. + type: string + type: object + compatibilityVersion: + description: |- + Specifies the compatibility version to use. When this is set, the control plane will + be configured with the same defaults as the specified version. + type: string + defaultRevision: + description: The name of the default revision in the cluster. + type: string + global: + description: Global configuration for Istio components. + properties: + arch: + description: "Specifies pod scheduling arch(amd64, ppc64le, + s390x, arm64) and weight as follows:\n\n\n\t0 - Never scheduled\n\t1 + - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\n\nDeprecated: + replaced by the affinity k8s settings which allows architecture + nodeAffinity configuration of this behavior.\n\n\nDeprecated: + Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + properties: + amd64: + description: Sets pod scheduling weight for amd64 arch + format: int32 + type: integer + arm64: + description: Sets pod scheduling weight for arm64 arch. + format: int32 + type: integer + ppc64le: + description: Sets pod scheduling weight for ppc64le arch. + format: int32 + type: integer + s390x: + description: Sets pod scheduling weight for s390x arch. + format: int32 + type: integer + type: object + autoscalingv2API: + description: |- + TODO: remove this? + No longer used. + type: boolean + caAddress: + description: The address of the CA for CSR. + type: string + caName: + description: |- + The name of the CA for workloads. + For example, when caName=GkeWorkloadCertificate, GKE workload certificates + will be used as the certificates for workloads. + The default value is "" and when caName="", the CA will be configured by other + mechanisms (e.g., environmental variable CA_PROVIDER). + type: string + certSigners: + description: List of certSigners to allow "approve" action + in the ClusterRole + items: + type: string + type: array + configCluster: + description: Controls whether a remote cluster is the config + cluster for an external istiod + type: boolean + configRootNamespace: + description: |- + TODO: remove this? + No longer used. + type: string + configValidation: + description: Controls whether the server-side validation is + enabled. + type: boolean + defaultConfigVisibilitySettings: + description: |- + TODO: remove this? + No longer used. + items: + type: string + type: array + defaultNodeSelector: + additionalProperties: + type: string + description: |- + Default k8s node selector for all the Istio control plane components + + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: object + defaultPodDisruptionBudget: + description: |- + Specifies the default pod disruption budget configuration. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + enabled: + description: Controls whether a PodDisruptionBudget with + a default minAvailable value of 1 is created for each + deployment. + type: boolean + type: object + defaultResources: + description: |- + Default k8s resources settings for all Istio control plane components. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + defaultTolerations: + description: |- + Default node tolerations to be applied to all deployments so that all pods can be + scheduled to nodes with matching taints. Each component can overwrite + these default values by adding its tolerations block in the relevant section below + and setting the desired values. + Configure this field in case that all pods of Istio control plane are expected to + be scheduled to particular nodes with specified taints. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + externalIstiod: + description: Controls whether one external istiod is enabled. + type: boolean + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + type: string + imagePullSecrets: + description: |- + ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + istioNamespace: + description: Specifies the default namespace for the Istio + control plane components. + type: string + istiod: + description: Specifies the configution of istiod + properties: + enableAnalysis: + description: If enabled, istiod will perform config analysis + type: boolean + type: object + jwtPolicy: + description: |- + Configure the policy for validating JWT. + This is deprecated and has no effect. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: string + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio control plane components. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + meshID: + description: |- + The Mesh Identifier. It should be unique within the scope where + meshes will interact with each other, but it is not required to be + globally/universally unique. For example, if any of the following are true, + then two meshes must have different Mesh IDs: + - Meshes will have their telemetry aggregated in one place + - Meshes will be federated together + - Policy will be written referencing one mesh from the other + + + If an administrator expects that any of these conditions may become true in + the future, they should ensure their meshes have different Mesh IDs + assigned. + + + Within a multicluster mesh, each cluster must be (manually or auto) + configured to have the same Mesh ID value. If an existing cluster 'joins' a + multicluster mesh, it will need to be migrated to the new mesh ID. Details + of migration TBD, and it may be a disruptive operation to change the Mesh + ID post-install. + + + If the mesh admin does not specify a value, Istio will use the value of the + mesh's Trust Domain. The best practice is to select a proper Trust Domain + value. + type: string + meshNetworks: + additionalProperties: + description: |- + Network provides information about the endpoints in a routable L3 + network. A single routable L3 network can have one or more service + registries. Note that the network has no relation to the locality of the + endpoint. The endpoint locality will be obtained from the service + registry. + properties: + endpoints: + description: |- + The list of endpoints in the network (obtained through the + constituent service registries or from CIDR ranges). All endpoints in + the network are directly accessible to one another. + items: + description: "NetworkEndpoints describes how the network + associated with an endpoint\nshould be inferred. + An endpoint will be assigned to a network based + on\nthe following rules:\n\n\n1. Implicitly: If + the registry explicitly provides information about\nthe + network to which the endpoint belongs to. In some + cases, its\npossible to indicate the network associated + with the endpoint by\nadding the `ISTIO_META_NETWORK` + environment variable to the sidecar.\n\n\n2. Explicitly:\n\n\n\ta. + By matching the registry name with one of the \"fromRegistry\"\n\tin + the mesh config. A \"from_registry\" can only be + assigned to a\n\tsingle network.\n\n\n\tb. By matching + the IP against one of the CIDR ranges in a mesh\n\tconfig + network. The CIDR ranges must not overlap and be + assigned to\n\ta single network.\n\n\n(2) will override + (1) if both are present." + properties: + fromCidr: + description: |- + A CIDR range for the set of endpoints in this network. The CIDR + ranges for endpoints from different networks must not overlap. + type: string + fromRegistry: + description: |- + Add all endpoints from the specified registry into this network. + The names of the registries should correspond to the kubeconfig file name + inside the secret that was used to configure the registry (Kubernetes + multicluster) or supplied by MCP server. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [fromCidr fromRegistry] + should be set + rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0) + <= 1 + type: array + gateways: + description: Set of gateways associated with the network. + items: + description: |- + The gateway associated with this network. Traffic from remote networks + will arrive at the specified gateway:port. All incoming traffic must + use mTLS. + properties: + address: + description: IP address or externally resolvable + DNS address associated with the gateway. + type: string + locality: + description: The locality associated with an explicitly + specified gateway (i.e. ip) + type: string + port: + format: int32 + type: integer + registryServiceName: + description: |- + A fully qualified domain name of the gateway service. Pilot will + lookup the service from the service registries in the network and + obtain the endpoint IPs of the gateway from the service + registry. Note that while the service name is a fully qualified + domain name, it need not be resolvable outside the orchestration + platform for the registry. e.g., this could be + istio-ingressgateway.istio-system.svc.cluster.local. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [registryServiceName address] + should be set + rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0) + <= 1 + type: array + type: object + description: "Configure the mesh networks to be used by the + Split Horizon EDS.\n\n\nThe following example defines two + networks with different endpoints association methods.\nFor + `network1` all endpoints that their IP belongs to the provided + CIDR range will be\nmapped to network1. The gateway for + this network example is specified by its public IP\naddress + and port.\nThe second network, `network2`, in this example + is defined differently with all endpoints\nretrieved through + the specified Multi-Cluster registry being mapped to network2. + The\ngateway is also defined differently with the name of + the gateway service on the remote\ncluster. The public IP + for the gateway will be determined from that remote service + (only\nLoadBalancer gateway service type is currently supported, + for a NodePort type gateway service,\nit still need to be + configured manually).\n\n\nmeshNetworks:\n\n\n\tnetwork1:\n\t + \ endpoints:\n\t - fromCidr: \"192.168.0.1/24\"\n\t gateways:\n\t + \ - address: 1.1.1.1\n\t port: 80\n\tnetwork2:\n\t endpoints:\n\t + \ - fromRegistry: reg1\n\t gateways:\n\t - registryServiceName: + istio-ingressgateway.istio-system.svc.cluster.local\n\t + \ port: 443" + type: object + mountMtlsCerts: + description: Controls whether the in-cluster MTLS key and + certs are loaded from the secret volume mounts. + type: boolean + multiCluster: + description: Specifies the Configuration for Istio mesh across + multiple clusters through Istio gateways. + properties: + clusterName: + description: |- + The name of the cluster this installation will run in. This is required for sidecar injection + to properly label proxies + type: string + enabled: + description: |- + Enables the connection between two kubernetes clusters via their respective ingressgateway services. + Use if the pods in each cluster cannot directly talk to one another. + type: boolean + globalDomainSuffix: + description: The suffix for global service names. + type: string + includeEnvoyFilter: + description: Enable envoy filter to translate `globalDomainSuffix` + to cluster local suffix for cross cluster communication. + type: boolean + type: object + network: + description: |- + Network defines the network this cluster belong to. This name + corresponds to the networks in the map of mesh networks. + type: string + omitSidecarInjectorConfigMap: + description: |- + Controls whether the creation of the sidecar injector ConfigMap should be skipped. + Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. + type: boolean + oneNamespace: + description: |- + Controls whether to restrict the applications namespace the controller manages; + If set it to false, the controller watches all namespaces. + type: boolean + operatorManageWebhooks: + description: |- + Controls whether the WebhookConfiguration resource(s) should be created. The current behavior + of Istiod is to manage its own webhook configurations. + When this option is set to true, Istio Operator, instead of webhooks, manages the + webhook configurations. When this option is set as false, webhooks manage their + own webhook configurations. + type: boolean + pilotCertProvider: + description: |- + Configure the Pilot certificate provider. + Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". + type: string + platform: + description: |- + Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" + An empty value means it is a vanilla Kubernetes distribution, therefore no special + treatment will be considered. + type: string + podDNSSearchNamespaces: + description: |- + Custom DNS config for the pod to resolve names of services in other + clusters. Use this to add additional search domains, and other settings. + see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + This does not apply to gateway pods as they typically need a different + set of DNS settings than the normal application pods (e.g. in multicluster scenarios). + items: + type: string + type: array + priorityClassName: + description: |- + Specifies the k8s priorityClassName for the istio control plane components. + + + See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: string + proxy: + description: Specifies how proxies are configured within Istio. + properties: + autoInject: + description: Controls the 'policy' in the sidecar injector. + type: string + clusterDomain: + description: |- + Domain for the cluster, default: "cluster.local". + + + K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ + type: string + componentLogLevel: + description: |- + Per Component log level for proxy, applies to gateways and sidecars. + + + If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. + type: string + enableCoreDump: + description: |- + Enables core dumps for newly injected sidecars. + + + If set, newly injected sidecars will have core dumps enabled. + type: boolean + excludeIPRanges: + description: Lists the excluded IP ranges of Istio egress + traffic that the sidecar captures. + type: string + excludeInboundPorts: + description: Specifies the Istio ingress ports not to + capture. + type: string + excludeOutboundPorts: + description: A comma separated list of outbound ports + to be excluded from redirection to Envoy. + type: string + holdApplicationUntilProxyStarts: + description: |- + Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + + + Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + image: + description: |- + Image name or path for the proxy, default: "proxyv2". + + + If registry or tag are not specified, global.hub and global.tag are used. + + + Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 + type: string + includeIPRanges: + description: |- + Lists the IP ranges of Istio egress traffic that the sidecar captures. + + + Example: "172.30.0.0/16,172.20.0.0/16" + This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar." + type: string + includeInboundPorts: + description: |- + A comma separated list of inbound ports for which traffic is to be redirected to Envoy. + The wildcard character '*' can be used to configure redirection for all ports. + type: string + includeOutboundPorts: + description: A comma separated list of outbound ports + for which traffic is to be redirected to Envoy, regardless + of the destination IP. + type: string + lifecycle: + description: |- + The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + postStart: + description: |- + PostStart is called immediately after a container is created. If the handler fails, + the container is terminated and restarted according to its restart policy. + Other management of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for the backward compatibility. There are no validation of this field and + lifecycle hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: |- + PreStop is called immediately before a container is terminated due to an + API request or management event such as liveness/startup probe failure, + preemption, resource contention, etc. The handler is not called if the + container crashes or exits. The Pod's termination grace period countdown begins before the + PreStop hook is executed. Regardless of the outcome of the handler, the + container will eventually terminate within the Pod's termination grace + period (unless delayed by finalizers). Other management of the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for the backward compatibility. There are no validation of this field and + lifecycle hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + logLevel: + description: 'Log level for proxy, applies to gateways + and sidecars. If left empty, "warning" is used. Expected + values are: trace\|debug\|info\|warning\|error\|critical\|off' + type: string + privileged: + description: |- + Enables privileged securityContext for the istio-proxy container. + + + See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + type: boolean + readinessFailureThreshold: + description: Sets the number of successive failed probes + before indicating readiness failure. + format: int32 + type: integer + readinessInitialDelaySeconds: + description: Sets the initial delay for readiness probes + in seconds. + format: int32 + type: integer + readinessPeriodSeconds: + description: Sets the interval between readiness probes + in seconds. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + startupProbe: + description: Configures the startup probe for the istio-proxy + container. + properties: + enabled: + description: |- + Enables or disables a startup probe. + For optimal startup times, changing this should be tied to the readiness probe values. + + + If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + and doesn't spam the readiness endpoint too much + + + If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + type: boolean + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + format: int32 + type: integer + type: object + statusPort: + description: Default port used for the Pilot agent's health + checks. + format: int32 + type: integer + tracer: + description: |- + Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + enum: + - zipkin + - lightstep + - datadog + - stackdriver + - openCensusAgent + - none + type: string + type: object + proxy_init: + description: Specifies the Configuration for proxy_init container + which sets the pods' networking to intercept the inbound/outbound + traffic. + properties: + image: + description: Specifies the image for the proxy_init container. + type: string + resources: + description: |- + K8s resources settings. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + remotePilotAddress: + description: Specifies the Istio control plane’s pilot Pod + IP address or remote cluster DNS resolvable hostname. + type: string + revision: + description: Configures the revision this control plane is + a part of + type: string + sds: + description: Specifies the Configuration for the SecretDiscoveryService + instead of using K8S secrets to mount the certificates. + properties: + token: + description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + properties: + aud: + type: string + type: object + type: object + sts: + description: Specifies the configuration for Security Token + Service. + properties: + servicePort: + format: int32 + type: integer + type: object + tag: + anyOf: + - type: integer + - type: string + description: Specifies the tag for the Istio docker images. + x-kubernetes-int-or-string: true + tracer: + description: Specifies the Configuration for each of the supported + tracers. + properties: + datadog: + description: Configuration for the datadog tracing service. + properties: + address: + description: Address in host:port format for reporting + trace data to the Datadog agent. + type: string + type: object + lightstep: + description: Configuration for the lightstep tracing service. + properties: + accessToken: + description: Sets the lightstep access token. + type: string + address: + description: Sets the lightstep satellite pool address + in host:port format for reporting trace data. + type: string + type: object + stackdriver: + description: Configuration for the stackdriver tracing + service. + properties: + debug: + description: enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: The global default max number of annotation + events per span. + format: int32 + type: integer + maxNumberOfAttributes: + description: The global default max number of attributes + per span. + format: int32 + type: integer + maxNumberOfMessageEvents: + description: The global default max number of message + events per span. + format: int32 + type: integer + type: object + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + + Example: .:941 + type: string + type: object + type: object + useMCP: + description: Controls whether to use of Mesh Configuration + Protocol to distribute configuration. + type: boolean + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + type: object + istiodRemote: + description: Configuration for istiod-remote. + properties: + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object + meshConfig: + description: |- + Defines runtime configuration of components, including Istiod and istio-agent behavior. + See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. + TODO can this import the real mesh config API? + properties: + accessLogEncoding: + description: |- + Encoding for the proxy access log (`TEXT` or `JSON`). + Default value is `TEXT`. + enum: + - TEXT + - JSON + type: string + accessLogFile: + description: |- + File address for the proxy access log (e.g. /dev/stdout). + Empty value disables access logging. + type: string + accessLogFormat: + description: |- + Format for the proxy access log + Empty value results in proxy's default access log format + type: string + ca: + description: |- + If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA + using the Istio CA gRPC API. + properties: + address: + description: |- + REQUIRED. Address of the CA server implementing the Istio CA gRPC API. + Can be IP address or a fully qualified DNS name with port + Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 + type: string + istiodSide: + description: |- + Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Default: true + type: boolean + requestTimeout: + description: |- + timeout for forward CSR requests from Istiod to External CA + Default: 10s + type: string + tlsSettings: + description: |- + Use the tls_settings to specify the tls mode to use. + Regarding tls_settings: + - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. + DISABLE MODE can also be used for testing + - TLS MUTUAL MODE be on by default. If the CA certificates + (cert bundle to verify the CA server's certificate) is omitted, Istiod will + use the system root certs to verify the CA server's certificate. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + required: + - address + type: object + caCertificates: + description: |- + The extra root certificates for workload-to-workload communication. + The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) + are automatically added by Istiod. + The CA certificate that signs the workload certificates is automatically added by Istio Agent. + items: + properties: + certSigners: + description: |- + when Istiod is acting as RA(registration authority) + If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. + items: + type: string + type: array + pem: + description: The PEM data of the certificate. + type: string + spiffeBundleUrl: + description: |- + The SPIFFE bundle endpoint URL that complies to: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle + The endpoint should support authentication based on Web PKI: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki + The certificate is retrieved from the endpoint. + type: string + trustDomains: + description: |- + Optional. Specify the list of trust domains to which this trustAnchor data belongs. + If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain + and its aliases. + Note that we can have multiple trustAnchor data for a same trust_domain. + In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. + If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. + If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. + If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. + If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: At most one of [pem spiffeBundleUrl] should be + set + rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0) + <= 1 + type: array + certificates: + description: |- + Configure the provision of certificates. + + + Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + description: "Certificate configures the provision of a + certificate and its key.\nExample 1: key and cert stored + in a secret\n```\n{ secretName: galley-cert\n\n\n\t secretNamespace: + istio-system\n\t dnsNames:\n\t - galley.istio-system.svc\n\t + \ - galley.mydomain.com\n\t}\n\n\n```\nExample 2: key + and cert stored in a directory\n```\n{ dnsNames:\n - + pilot.istio-system\n - pilot.istio-system.svc\n - pilot.mydomain.com\n + \ }\n\n\n```" + properties: + dnsNames: + description: |- + The DNS names for the certificate. A certificate may contain + multiple DNS names. + items: + type: string + type: array + secretName: + description: |- + Name of the secret the certificate and its key will be stored into. + If it is empty, it will not be stored into a secret. + Instead, the certificate and its key will be stored into a hard-coded directory. + type: string + type: object + type: array + configSources: + description: |- + ConfigSource describes a source of configuration data for networking + rules, and other Istio configuration artifacts. Multiple data sources + can be configured for a single control plane. + items: + description: |- + ConfigSource describes information about a configuration store inside a + mesh. A single control plane instance can interact with one or more data + sources. + properties: + address: + description: |- + Address of the server implementing the Istio Mesh Configuration + protocol (MCP). Can be IP address or a fully qualified DNS name. + Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or + fs:/// to specify a file-based backend with absolute path to the directory. + type: string + subscribedResources: + description: Describes the source of configuration, + if nothing is specified default is MCP + items: + description: Resource describes the source of configuration + enum: + - SERVICE_REGISTRY + type: string + type: array + tlsSettings: + description: |- + Use the tls_settings to specify the tls mode to use. If the MCP server + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + type: object + type: array + connectTimeout: + description: |- + Connection timeout used by Envoy. (MUST BE >=1ms) + Default timeout is 10s. + type: string + defaultConfig: + description: |- + Default proxy config used by gateway and sidecars. + In case of Kubernetes, the proxy config is applied once during the injection process, + and remain constant for the duration of the pod. The rest of the mesh config can be changed + at runtime and config gets distributed dynamically. + On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation. + properties: + availabilityZone: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + binaryPath: + description: Path to the proxy binary + type: string + caCertificatesPem: + description: |- + The PEM data of the extra root certificates for workload-to-workload communication. + This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. + The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) + are added automatically by Istiod. + items: + type: string + type: array + concurrency: + description: |- + The number of worker threads to run. + If unset, this will be automatically determined based on CPU requests/limits. + If set to 0, all cores on the machine will be used. + Default is 2 worker threads. + format: int32 + type: integer + configPath: + description: |- + Path to the generated configuration file directory. + Proxy agent generates the actual configuration and stores it in this directory. + type: string + controlPlaneAuthPolicy: + description: |- + AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. + Default is set to `MUTUAL_TLS`. + enum: + - NONE + - MUTUAL_TLS + - INHERIT + type: string + customConfigFile: + description: |- + File path of custom proxy configuration, currently used by proxies + in front of Mixer and Pilot. + type: string + discoveryAddress: + description: |- + Address of the discovery service exposing xDS with mTLS connection. + The inject configuration may override this value. + type: string + discoveryRefreshDelay: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + drainDuration: + description: |- + restart. MUST be >=1s (e.g., _1s/1m/1h_) + Default drain duration is `45s`. + type: string + envoyAccessLogService: + description: |- + Address of the service to which access logs from Envoys should be + sent. (e.g. `accesslog-service:15000`). See [Access Log + Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto) + for details about Envoy's gRPC Access Log Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tls_settings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + type: object + envoyMetricsService: + description: |- + Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`). + See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) + for details about Envoy's Metrics Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tls_settings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + type: object + envoyMetricsServiceAddress: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + extraStatTags: + description: |- + An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be + added by configuring the telemetry extension. Each additional tag needs to be present in this list. + Extra tags emitted by the telemetry extensions must be listed here so that they can be processed + and exposed as Prometheus metrics. + Deprecated: `istio.stats` is a native filter now, this field is no longer needed. + items: + type: string + type: array + gatewayTopology: + description: |- + Topology encapsulates the configuration which describes where the proxy is + located i.e. behind a (or N) trusted proxy (proxies) or directly exposed + to the internet. This configuration only effects gateways and is applied + to all the gateways in the cluster unless overridden via annotations of the + gateway workloads. + properties: + forwardClientCertDetails: + description: |- + Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) + header in the incoming request. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + numTrustedProxies: + description: |- + Number of trusted proxies deployed in front of the Istio gateway proxy. + When this option is set to value N greater than zero, the trusted client + address is assumed to be the Nth address from the right end of the + X-Forwarded-For (XFF) header from the incoming request. If the + X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the + gateway proxy falls back to using the immediate downstream connection's + source address as the trusted client address. + Note that the gateway proxy will append the downstream connection's source + address to the X-Forwarded-For (XFF) address and set the + X-Envoy-External-Address header to the trusted client address before + forwarding it to the upstream services in the cluster. + The default value of num_trusted_proxies is 0. + See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) + header handling for more details. + format: int32 + type: integer + proxyProtocol: + description: |- + Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for + downstream connections on a gateway. + type: object + type: object + holdApplicationUntilProxyStarts: + description: |- + Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. + This feature adds hooks to delay application startup until the pod proxy + is ready to accept traffic, mitigating some startup race conditions. + Default value is 'false'. + type: boolean + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: |- + The image type of the image. + Istio publishes default, debug, and distroless images. + Other values are allowed if those image types (example: centos) are published to the specified hub. + supported values: default, debug, distroless. + type: string + type: object + interceptionMode: + description: The mode used to redirect inbound traffic + to Envoy. + enum: + - REDIRECT + - TPROXY + - NONE + type: string + meshId: + description: |- + The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) + All control planes running in the same service mesh should specify the same mesh ID. + Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. + type: string + privateKeyProvider: + description: Specifies the details of the Private Key + Provider configuration for gateway and sidecar proxies. + properties: + cryptomb: + description: Use CryptoMb private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait until the per-thread processing queue should be processed. If the processing queue + gets full (eight sign or decrypt requests are received) it is processed immediately. + However, if the queue is not filled before the delay has expired, the requests already in the queue + are processed, even if the queue is not full. + In effect, this value controls the balance between latency and throughput. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + qat: + description: Use QAT private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait before polling the hardware accelerator after a request has been submitted there. + Having a small value leads to quicker answers from the hardware but causes more polling loop spins, + leading to potentially larger CPU usage. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [cryptomb qat] should be set + rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0) + <= 1 + proxyAdminPort: + description: |- + Port on which Envoy should listen for administrative commands. + Default port is `15000`. + format: int32 + type: integer + proxyBootstrapTemplatePath: + description: Path to the proxy bootstrap template file + type: string + proxyHeaders: + description: "Define the set of headers to add/modify + for HTTP request/responses.\n\n\nTo enable an optional + header, simply set the field. If no specific configuration + is required, an empty object (`{}`) will enable it.\nNote: + currently all headers are enabled by default.\n\n\nBelow + shows an example of customizing the `server` header + and disabling the `X-Envoy-Attempt-Count` header:\n\n\n```yaml\nproxyHeaders:\n\n\n\tserver:\n\t + \ value: \"my-custom-server\"\n\trequestId: {} // Explicitly + enable Request IDs. As this is the default, this has + no effect.\n\tattemptCount:\n\t disabled: true\n\n\n```\n\n\nSome + headers are enabled by default, and require explicitly + disabling. See below for an example of disabling all + default-enabled headers:\n\n\n```yaml\nproxyHeaders:\n\n\n\tforwardedClientCert: + SANITIZE\n\tserver:\n\t disabled: true\n\trequestId:\n\t + \ disabled: true\n\tattemptCount:\n\t disabled: true\n\tenvoyDebugHeaders:\n\t + \ disabled: true\n\tmetadataExchangeHeaders:\n\t mode: + IN_MESH\n\n\n```" + properties: + attemptCount: + description: |- + Controls the `X-Envoy-Attempt-Count` header. + If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. + If disabled, this header will not be set. If it is already present, it will be preserved. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + envoyDebugHeaders: + description: |- + Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time. If enabled, + these headers will be included. + If disabled, these headers will not be set. If they are already present, they will be preserved. + See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details. + These headers are enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + forwardedClientCert: + description: |- + Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. + To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). + By default, `APPEND_FORWARD` will be used. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + metadataExchangeHeaders: + description: |- + Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`. + By default, the behavior is unspecified. + If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh. + properties: + mode: + enum: + - UNDEFINED + - IN_MESH + type: string + type: object + requestId: + description: |- + Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. + This applies to all types of traffic (inbound, outbound, and gateways). + If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. + Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + server: + description: |- + Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). + If disabled, the `Server` header is not modified. If it is already present, it will be preserved. + properties: + disabled: + type: boolean + value: + description: If set, and the server header is + enabled, this value will be set as the server + header. By default, `istio-envoy` will be used. + type: string + type: object + type: object + proxyMetadata: + additionalProperties: + type: string + description: |- + Additional environment variables for the proxy. + Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server. + type: object + proxyStatsMatcher: + description: "Proxy stats matcher defines configuration + for reporting custom Envoy stats.\nTo reduce memory + and CPU overhead from Envoy stats system, Istio proxies + by\ndefault create and expose only a subset of Envoy + stats. This option is to\ncontrol creation of additional + Envoy stats with prefix, suffix, and regex\nexpressions + match on the name of the stats. This replaces the stats\ninclusion + annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`, + and\n`sidecar.istio.io/statsInclusionSuffixes`). For + example, to enable stats\nfor circuit breakers, request + retries, upstream connections, and request timeouts,\nyou + can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\n\tinclusionRegexps:\n\t + \ - .*outlier_detection.*\n\t - .*upstream_rq_retry.*\n\t + \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t - upstream_rq_timeout\n\n\n```\nNote + including more Envoy stats might increase number of + time series\ncollected by prometheus significantly. + Care needs to be taken on Prometheus\nresource provision + and configuration to reduce cardinality." + properties: + inclusionPrefixes: + description: Proxy stats name prefix matcher for inclusion. + items: + type: string + type: array + inclusionRegexps: + description: Proxy stats name regexps matcher for + inclusion. + items: + type: string + type: array + inclusionSuffixes: + description: Proxy stats name suffix matcher for inclusion. + items: + type: string + type: array + type: object + readinessProbe: + description: |- + VM Health Checking readiness probe. This health check config exactly mirrors the + kubernetes readiness probe configuration both in schema and logic. + Only one health check method of 3 can be set at a time. + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a + GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to + perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving + a TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: |- + Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after the processes running in the pod are sent + a termination signal and the time when the processes are forcibly halted with a kill signal. + Set this value longer than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates stop immediately via + the kill signal (no opportunity to shut down). + This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + runtimeValues: + additionalProperties: + type: string + description: |- + Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. + This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution. + type: object + sds: + description: |- + Secret Discovery Service(SDS) configuration to be used by the proxy. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + properties: + enabled: + description: True if SDS is enabled. + type: boolean + k8sSaJwtPath: + description: Path of k8s service account JWT path. + type: string + type: object + serviceCluster: + description: |- + Service cluster defines the name for the `service_cluster` that is + shared by all Envoy instances. This setting corresponds to + `--service-cluster` flag in Envoy. In a typical Envoy deployment, the + `service-cluster` flag is used to identify the caller, for + source-based routing scenarios. + + + Since Istio does not assign a local `service/service` version to each + Envoy instance, the name is same for all of them. However, the + source/caller's identity (e.g., IP address) is encoded in the + `--service-node` flag when launching Envoy. When the RDS service + receives API calls from Envoy, it uses the value of the `service-node` + flag to compute routes that are relative to the service instances + located at that IP address. + type: string + statNameLength: + description: |- + Maximum length of name field in Envoy's metrics. The length of the name field + is determined by the length of a name field in a service and the set of labels that + comprise a particular version of the service. The default value is set to 189 characters. + Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. + Increase the value of this field if you find that the metrics from Envoys are truncated. + format: int32 + type: integer + statsdUdpAddress: + description: IP Address and Port of a statsd UDP listener + (e.g. `10.75.241.127:9125`). + type: string + statusPort: + description: |- + Port on which the agent should listen for administrative commands such as readiness probe. + Default is set to port `15020`. + format: int32 + type: integer + terminationDrainDuration: + description: |- + The amount of time allowed for connections to complete on proxy shutdown. + On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start draining, + preventing any new connections and allowing existing connections to complete. It then + sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + If not set, a default of `5s` will be applied. + type: string + tracing: + description: Tracing configuration to be used by the proxy. + properties: + customTags: + additionalProperties: + description: |- + Configure custom tags that will be added to any active span. + Tags can be generated via literals, environment variables or an incoming request header. + properties: + environment: + description: |- + The custom tag's value should be populated from an environmental + variable + properties: + defaultValue: + description: |- + When the environment variable is not found, + the tag's value will be populated with this default value if specified, + otherwise the tag will not be populated. + type: string + name: + description: Name of the environment variable + used to populate the tag's value + type: string + type: object + header: + description: |- + The custom tag's value is populated by an http header from + an incoming request. + properties: + defaultValue: + description: |- + Default value to be used for the tag when the named HTTP header does not exist. + The tag will be skipped if no default value is provided. + type: string + name: + description: HTTP header name used to obtain + the value from to populate the tag value. + type: string + type: object + literal: + description: The custom tag's value is the specified + literal. + properties: + value: + description: Static literal value used to + populate the tag value. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [literal environment header] + should be set + rule: (has(self.literal)?1:0) + (has(self.environment)?1:0) + + (has(self.header)?1:0) <= 1 + description: "and gateways).\nThe key represents the + name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\n\tnew_tag_name:\n\t + \ header:\n\t name: custom-http-header-name\n\t + \ default_value: defaulted-value-from-custom-header\n\n\n```" + type: object + datadog: + description: Use a Datadog tracer. + properties: + address: + description: Address of the Datadog Agent. + type: string + type: object + lightstep: + description: |- + Use a Lightstep tracer. + NOTE: For Istio 1.15+, this configuration option will result + in using OpenTelemetry-based Lightstep integration. + properties: + accessToken: + description: The Lightstep access token. + type: string + address: + description: Address of the Lightstep Satellite + pool. + type: string + type: object + maxPathTagLength: + description: |- + Configures the maximum length of the request path to extract and include in the + HttpUrl tag. Used to truncate length request paths to meet the needs of tracing + backend. If not set, then a length of 256 will be used. + format: int32 + type: integer + openCensusAgent: + description: Use an OpenCensus tracer exporting to + an OpenCensus agent. + properties: + address: + description: |- + gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or + unix:path). See [gRPC naming + docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for + details. + type: string + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + type: object + sampling: + description: |- + The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, + if not requested by the client or not forced. Default is 1.0. + type: number + stackdriver: + description: Use a Stackdriver tracer. + properties: + debug: + description: debug enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + format: int64 + type: integer + type: object + tlsSettings: + description: |- + Use the tls_settings to specify the tls mode to use. If the remote tracing service + uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will not verify the server's certificate. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + This flag should only be set if global CA signature verification is + enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, + but no verification is desired for a specific host. If enabled with or + without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and + SAN will be skipped. + + + `insecureSkipVerify` is `false` by default. + `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will + be `true` by default in a later version where, going forward, it will be + enabled by default. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` + environmental variable is set to `true`. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of subject_alt_names + from the ServiceEntry. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` + and `ENABLE_AUTO_SNI` environmental variables are set to `true`. + items: + type: string + type: array + type: object + zipkin: + description: Use a Zipkin tracer. + properties: + address: + description: Address of the Zipkin service (e.g. + _zipkin:9411_). + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [zipkin lightstep datadog stackdriver + openCensusAgent] should be set + rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.openCensusAgent)?1:0) <= 1 + tracingServiceName: + description: |- + Used by Envoy proxies to assign the values for the service names in trace + spans. + enum: + - APP_LABEL_AND_NAMESPACE + - CANONICAL_NAME_ONLY + - CANONICAL_NAME_AND_NAMESPACE + type: string + zipkinAddress: + description: |- + Address of the Zipkin service (e.g. _zipkin:9411_). + DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [serviceCluster tracingServiceName] + should be set + rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0) + <= 1 + defaultDestinationRuleExportTo: + description: |- + The default value for the `DestinationRule.export_to` field. Has the same + syntax as `default_service_export_to`. + + + If not set the system will use "*" as the default value which implies that + destination rules are exported to all namespaces + items: + type: string + type: array + defaultHttpRetryPolicy: + description: "Configure the default HTTP retry policy.\nThe + default number of retry attempts is set at 2 for these errors:\n\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\n\nSetting + the number of attempts to 0 disables retry policy globally.\nThis + setting can be overridden on a per-host basis using the + Virtual Service\nAPI.\nAll settings in the retry policy + except `perTryTimeout` can currently be\nconfigured globally + via this field." + properties: + attempts: + description: |- + Number of retries to be allowed for a given request. The interval + between retries will be determined automatically (25ms+). When request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) + or `per_try_timeout` is configured, the actual number of retries attempted also depends on + the specified request `timeout` and `per_try_timeout` values. MUST BE >= 0. If `0`, retries will be disabled. + The maximum possible number of requests made will be 1 + `attempts`. + format: int32 + type: integer + perTryTimeout: + description: |- + Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms. + Default is same value as request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), + which means no timeout. + type: string + retryOn: + description: |- + Specifies the conditions under which retry takes place. + One or more policies can be specified using a ‘,’ delimited list. + If `retry_on` specifies a valid HTTP status, it will be added to retriable_status_codes retry policy. + See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) + and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details. + type: string + retryRemoteLocalities: + description: |- + Flag to specify whether the retries should retry to other localities. + See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details. + type: boolean + type: object + defaultProviders: + description: Specifies extension providers to use by default + in Istio configuration resources. + properties: + accessLogging: + description: Name of the default provider(s) for access + logging. + items: + type: string + type: array + metrics: + description: Name of the default provider(s) for metrics. + items: + type: string + type: array + tracing: + description: Name of the default provider(s) for tracing. + items: + type: string + type: array + type: object + defaultServiceExportTo: + description: |- + The default value for the ServiceEntry.export_to field and services + imported through container registry integrations, e.g. this applies to + Kubernetes Service resources. The value is a list of namespace names and + reserved namespace aliases. The allowed namespace aliases are: + ``` + * - All Namespaces + . - Current Namespace + ~ - No Namespace + ``` + If not set the system will use "*" as the default value which implies that + services are exported to all namespaces. + + + `All namespaces` is a reasonable default for implementations that don't + need to restrict access or visibility of services across namespace + boundaries. If that requirement is present it is generally good practice to + make the default `Current namespace` so that services are only visible + within their own namespaces by default. Operators can then expand the + visibility of services to other namespaces as needed. Use of `No Namespace` + is expected to be rare but can have utility for deployments where + dependency management needs to be precise even within the scope of a single + namespace. + + + For further discussion see the reference documentation for `ServiceEntry`, + `Sidecar`, and `Gateway`. + items: + type: string + type: array + defaultVirtualServiceExportTo: + description: |- + The default value for the VirtualService.export_to field. Has the same + syntax as `default_service_export_to`. + + + If not set the system will use "*" as the default value which implies that + virtual services are exported to all namespaces + items: + type: string + type: array + disableEnvoyListenerLog: + description: |- + This flag disables Envoy Listener logs. + See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) + Istio Enables Envoy's listener access logs on "NoRoute" response flag. + Default value is `false`. + type: boolean + discoverySelectors: + description: |- + A list of Kubernetes selectors that specify the set of namespaces that Istio considers when + computing configuration updates for sidecars. This can be used to reduce Istio's computational load + by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. + If omitted, Istio will use the default behavior of processing all namespaces in the cluster. + Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. + The following example selects any namespace that matches either below: + 1. The namespace has both of these labels: `env: prod` and `region: us-east1` + 2. The namespace has label `app` equal to `cassandra` or `spark`. + ```yaml + discoverySelectors: + - matchLabels: + env: prod + region: us-east1 + - matchExpressions: + - key: app + operator: In + values: + - cassandra + - spark + + + ``` + Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) + for additional detail on selector semantics. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + dnsRefreshRate: + description: |- + Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` + Default refresh rate is `60s`. + type: string + enableAutoMtls: + description: |- + This flag is used to enable mutual `TLS` automatically for service to service communication + within the mesh, default true. + If set to true, and a given service does not have a corresponding `DestinationRule` configured, + or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side + TLS configuration appropriately. More specifically, + If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate + for mutual `TLS` to connect to upstream. + If upstream service is in plain text mode, use plain text. + If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use + mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. + If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. + type: boolean + enableEnvoyAccessLogService: + description: |- + This flag enables Envoy's gRPC Access Log Service. + See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) + for details about Envoy's gRPC Access Log Service API. + Default value is `false`. + type: boolean + enablePrometheusMerge: + description: |- + If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy + and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod + and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. + This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and + `prometheus.io/path` annotations. + If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. + In this case, it is recommended to disable aggregation on that deployment with the + `prometheus.istio.io/merge-metrics: "false"` annotation. + If not specified, this will be enabled by default. + type: boolean + enableTracing: + description: |- + Flag to control generation of trace spans and request IDs. + Requires a trace span collector defined in the proxy configuration. + type: boolean + extensionProviders: + description: |- + Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy + can be used with an extension provider to delegate the authorization decision to a custom authorization system. + items: + properties: + datadog: + description: Configures a Datadog tracing provider. + properties: + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Datadog agent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com". + type: string + required: + - port + - service + type: object + envoyExtAuthzGrpc: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the gRPC API. + properties: + failOpen: + description: |- + If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. + type: boolean + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the + fail_open is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + type: boolean + type: object + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `fail_open` field. + type: string + required: + - port + - service + type: object + envoyExtAuthzHttp: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the HTTP API. + properties: + failOpen: + description: |- + If true, the user request will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false and the request will be rejected with "Forbidden" response. + type: boolean + headersToDownstreamOnAllow: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is allowed (HTTP code 200). + If not specified, the original response will not be modified and forwarded to downstream as-is. + Note, any existing headers will be overridden. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToDownstreamOnDeny: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is not allowed (HTTP code other than 200). + If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to + the downstream. + When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are + automatically added. + Note, the body from the authorization service is always included in the response to downstream. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToUpstreamOnAllow: + description: |- + List of headers from the authorization service that should be added or overridden in the original request and + forwarded to the upstream when the authorization check result is allowed (HTTP code 200). + If not specified, the original request will not be modified and forwarded to backend as-is. + Note, any existing headers will be overridden. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + includeAdditionalHeadersInCheck: + additionalProperties: + type: string + description: |- + Set of additional fixed headers that should be included in the authorization request sent to the authorization service. + Key is the header name and value is the header value. + Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + type: object + includeHeadersInCheck: + description: |- + DEPRECATED. Use include_request_headers_in_check instead. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + type: string + type: array + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the + fail_open is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + type: boolean + type: object + includeRequestHeadersInCheck: + description: |- + List of client request headers that should be included in the authorization request sent to the authorization service. + Note that in addition to the headers specified here following headers are included by default: + 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. + 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization + request can include the buffered client request body (controlled by include_request_body_in_check setting), + consequently the value of Content-Length of the authorization request reflects the size of its payload size. + + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + pathPrefix: + description: |- + Sets a prefix to the value of authorization request header *Path*. + For example, setting this to "/check" for an original user request at path "/admin" will cause the + authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `fail_open` field. + type: string + required: + - port + - service + type: object + envoyFileAccessLog: + description: Configures an Envoy File Access Log provider. + properties: + logFormat: + description: Optional. Allows overriding of the + default access log format. + properties: + labels: + additionalProperties: + type: string + description: "JSON structured format for the + envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse + `labels: {}` for default envoy JSON log format.\n\n\nExample:\n```\nlabels:\n\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + + NOTE: Istio will insert a newline ('\n') on all formats (if missing). + + + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + x-kubernetes-validations: + - message: At most one of [text labels] should be + set + rule: (has(self.text)?1:0) + (has(self.labels)?1:0) + <= 1 + path: + description: |- + Path to a local file to write the access log entries. + This may be used to write to streams, via `/dev/stderr` and `/dev/stdout` + If unspecified, defaults to `/dev/stdout`. + type: string + type: object + envoyHttpAls: + description: Configures an Envoy Access Logging Service + provider for HTTP traffic. + properties: + additionalRequestHeadersToLog: + description: Optional. Additional request headers + to log. + items: + type: string + type: array + additionalResponseHeadersToLog: + description: Optional. Additional response headers + to log. + items: + type: string + type: array + additionalResponseTrailersToLog: + description: Optional. Additional response trailers + to log. + items: + type: string + type: array + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "http_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyOtelAls: + description: Configures an Envoy Open Telemetry Access + Logging Service provider. + properties: + logFormat: + description: |- + Optional. Format for the proxy access log + Empty value results in proxy's default access log format, following Envoy access logging formatting. + properties: + labels: + additionalProperties: + type: string + description: "Optional. Additional attributes + that describe the specific event occurrence.\nStructured + format for the envoy access logs. Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias + to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\n\nExample:\n```\nlabels:\n\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "otel_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyTcpAls: + description: Configures an Envoy Access Logging Service + provider for TCP traffic. + properties: + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "tcp_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + lightstep: + description: |- + Configures a Lightstep tracing provider. + Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027 + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + accessToken: + description: The Lightstep access token. + type: string + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Lightstep collector. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com". + type: string + required: + - port + - service + type: object + name: + description: REQUIRED. A unique name identifying the + extension provider. + type: string + opencensus: + description: |- + Configures an OpenCensusAgent tracing provider. + Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/ + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the OpenCensusAgent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com". + type: string + required: + - port + - service + type: object + opentelemetry: + description: Configures an OpenTelemetry tracing provider. + properties: + http: + description: "Optional. Specifies the configuration + for exporting OTLP traces via HTTP.\nWhen empty, + traces will be exported via gRPC.\n\n\nThe following + example shows how to configure the OpenTelemetry + ExtensionProvider to export via HTTP:\n\n\n1. + Add/change the OpenTelemetry extension provider + in `MeshConfig`\n```yaml\n - name: otel-tracing\n + \ opentelemetry:\n port: 443\n service: + my.olly-backend.com\n http:\n path: \"/api/otlp/traces\"\n + \ timeout: 10s\n headers:\n - name: \"my-custom-header\"\n + \ value: \"some value\"\n\n\n```\n\n\n2. Deploy + a `ServiceEntry` for the observability back-end\n```yaml\napiVersion: + networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\n\tname: + my-olly-backend\n\n\nspec:\n\n\n\thosts:\n\t- + my.olly-backend.com\n\tports:\n\t- number: 443\n\t + \ name: https-port\n\t protocol: HTTPS\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n\n---\napiVersion: + networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\n\tname: + my-olly-backend\n\n\nspec:\n\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t + \ portLevelSettings:\n\t - port:\n\t number: + 443\n\t tls:\n\t mode: SIMPLE\n\n\n```" + properties: + headers: + description: |- + Optional. Allows specifying custom HTTP headers that will be added + to each HTTP request sent. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + path: + description: REQUIRED. Specifies the path on + the service. + type: string + timeout: + description: |- + Optional. Specifies the timeout for the HTTP request. + If not specified, the default is 3s. + type: string + required: + - path + type: object + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + resourceDetectors: + description: |- + Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) + to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged + according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). + + + The following example shows how to configure the Environment Resource Detector, that will + read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: + + + ```yaml + - name: otel-tracing + opentelemetry: + port: 443 + service: my.olly-backend.com + resource_detectors: + environment: {} + + + ``` + properties: + dynatrace: + description: |- + Dynatrace Resource Detector. + The resource detector reads from the Dynatrace enrichment files + and adds host/process related attributes to the OpenTelemetry resource. + + + See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files) + type: object + environment: + description: |- + OpenTelemetry Environment Resource Detector. + The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES` + and adds them to the OpenTelemetry resource. + + + See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable) + type: object + type: object + service: + description: |- + REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". + type: string + required: + - port + - service + type: object + prometheus: + description: Configures a Prometheus metrics provider. + type: object + skywalking: + description: Configures a Apache SkyWalking provider. + properties: + accessToken: + description: Optional. The SkyWalking OAP access + token. + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the SkyWalking receiver. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com". + type: string + required: + - port + - service + type: object + stackdriver: + description: Configures a Stackdriver provider. + properties: + debug: + description: |- + debug enables trace output to stdout. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + logging: + description: Optional. Controls Stackdriver logging + behavior. + properties: + labels: + additionalProperties: + type: string + description: "Collection of tag names and tag + expressions to include in the log\nentry. + Conflicts are resolved by the tag name by + overriding previously\nsupplied values.\n\n\nExample:\n\n\n\tlabels:\n\t + \ path: request.url_path\n\t foo: request.headers['x-foo']" + type: object + type: object + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + type: object + zipkin: + description: Configures a tracing provider that uses + the Zipkin API. + properties: + enable64bitTraceId: + description: |- + Optional. A 128 bit trace id will be used in Istio. + If true, will result in a 64 bit trace id being used. + type: boolean + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that the Zipkin API. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + + Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". + type: string + required: + - port + - service + type: object + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc + zipkin lightstep datadog stackdriver opencensus skywalking + opentelemetry prometheus envoyFileAccessLog envoyHttpAls + envoyTcpAls envoyOtelAls] should be set + rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) + <= 1 + maxItems: 1000 + type: array + h2UpgradePolicy: + description: |- + Specify if http1.1 connections should be upgraded to http2 by default. + if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`. + If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`. + It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override. + enum: + - DO_NOT_UPGRADE + - UPGRADE + type: string + inboundClusterStatName: + description: |- + Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `inbound|||`. + For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + + - `%SERVICE%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%TARGET_PORT%` - Will be substituted with the target port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + + + Following are some examples of supported patterns for reviews: + + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + inboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling inbound + traffic to the application. If your application listens on + localhost, you will need to set this to `LOCALHOST`. + properties: + mode: + enum: + - PASSTHROUGH + - LOCALHOST + type: string + type: object + ingressClass: + description: |- + Class of ingress resources to be processed by Istio ingress + controller. This corresponds to the value of + `kubernetes.io/ingress.class` annotation. + type: string + ingressControllerMode: + description: |- + Defines whether to use Istio ingress controller for annotated or all ingress resources. + Default mode is `STRICT`. + enum: + - UNSPECIFIED + - "OFF" + - DEFAULT + - STRICT + type: string + ingressSelector: + description: |- + Defines which gateway deployment to use as the Ingress controller. This field corresponds to + the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. + By default, `ingressgateway` is used, which will select the default IngressGateway as it has the + `istio: ingressgateway` labels. + It is recommended that this is the same value as ingress_service. + type: string + ingressService: + description: |- + Name of the Kubernetes service used for the istio ingress controller. + If no ingress controller is specified, the default value `istio-ingressgateway` is used. + type: string + localityLbSetting: + description: |- + Locality based load balancing distribution or failover settings. + If unspecified, locality based load balancing will be enabled by default. + However, this requires outlierDetection to actually take effect for a particular + service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ + properties: + distribute: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify loadbalancing weight across different zones and geographical locations. + Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) + If empty, the locality weight is set according to the endpoints number within it. + items: + description: |- + Describes how traffic originating in the 'from' zone or sub-zone is + distributed over a set of 'to' zones. Syntax for specifying a zone is + {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any + segment of the specification. Examples: + + + `*` - matches all localities + + + `us-west/*` - all zones and sub-zones within the us-west region + + + `us-west/zone-1/*` - all sub-zones within us-west/zone-1 + properties: + from: + description: Originating locality, '/' separated, + e.g. 'region/zone/sub_zone'. + type: string + to: + additionalProperties: + format: int32 + type: integer + description: |- + Map of upstream localities to traffic distribution weights. The sum of + all weights should be 100. Any locality not present will + receive no traffic. + type: object + type: object + type: array + enabled: + description: |- + enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is. + type: boolean + failover: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. + Should be used together with OutlierDetection to detect unhealthy endpoints. + Note: if no OutlierDetection specified, this will not take effect. + items: + description: |- + Specify the traffic failover policy across regions. Since zone and sub-zone + failover is supported by default this only needs to be specified for + regions when the operator needs to constrain traffic failover so that + the default behavior of failing over to any endpoint globally does not + apply. This is useful when failing over traffic across regions would not + improve service health or may need to be restricted for other reasons + like regulatory controls. + properties: + from: + description: Originating region. + type: string + to: + description: |- + Destination region the traffic will fail over to when endpoints in + the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: |- + failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + This is to support traffic failover across different groups of endpoints. + Two kinds of labels can be specified: + + + - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints. + Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified: + + + 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + + - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints. + Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified: + + + 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + + Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. + + + It can be any label specified on both client and server workloads. + The following labels which have special semantic meaning are also supported: + + + - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. + - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. + - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. + - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. + - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. + + + The below topology config indicates the following priority levels: + + + ```yaml + failoverPriority: + - "topology.istio.io/network" + - "topology.kubernetes.io/region" + - "topology.kubernetes.io/zone" + - "topology.istio.io/subzone" + ``` + + + 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. + 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. + 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. + 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. + 5. all the other endpoints have the same lowest priority. + + + Suppose a service associated endpoints reside in multi clusters, the below example represents: + 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority. + 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority. + 2. all the other endpoints have P(2) priority. + + + ```yaml + failoverPriority: + - "version=v1" + - "topology.istio.io/cluster=clusterA" + ``` + + + Optional: only one of distribute, failover or failoverPriority can be set. + And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect. + items: + type: string + type: array + type: object + meshMTLS: + description: "The below configuration parameters can be used + to specify TLSConfig for mesh traffic.\nFor example, a user + could enable min TLS version for ISTIO_MUTUAL traffic and + specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\n\tmeshMTLS:\n\t + \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t Note: + applicable only for non ISTIO_MUTUAL scenarios\n\t ecdhCurves:\n\t + \ - P-256\n\t - P-512\n\n\n```\nConfiguration of mTLS + for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\n\nNote: + Mesh mTLS does not respect ECDH curves." + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + outboundClusterStatName: + description: |- + Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `outbound|||`. + For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + + - `%SERVICE%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + - `%SUBSET_NAME%` - Will be substituted with subset. + + + Following are some examples of supported patterns for reviews: + + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + outboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling outbound + traffic from the application. If your application uses one or + more external services that are not known apriori, setting the + policy to `ALLOW_ANY` will cause the sidecars to route any unknown + traffic originating from the application to its requested + destination. Users are strongly encouraged to use ServiceEntries + to explicitly declare any external dependencies, instead of using + `ALLOW_ANY`, so that traffic to these services can be + monitored. Can be overridden at a Sidecar level by setting the + `OutboundTrafficPolicy` in the [Sidecar + API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy). + Default mode is `ALLOW_ANY` which means outbound traffic to unknown destinations will be allowed. + properties: + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + pathNormalization: + description: |- + ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are + normalized by the sidecars and gateways. + The normalized paths will be used in all aspects through the requests' lifetime on the + sidecars and gateways, which includes routing decisions in outbound direction (client proxy), + authorization policy match and enforcement in inbound direction (server proxy), and the URL + path proxied to the upstream service. + If not set, the NormalizationType.DEFAULT configuration will be used. + properties: + normalization: + enum: + - DEFAULT + - NONE + - BASE + - MERGE_SLASHES + - DECODE_AND_MERGE_SLASHES + type: string + type: object + protocolDetectionTimeout: + description: |- + Automatic protocol detection uses a set of heuristics to + determine whether the connection is using TLS or not (on the + server side), as well as the application protocol being used + (e.g., http vs tcp). These heuristics rely on the client sending + the first bits of data. For server first protocols like MySQL, + MongoDB, etc. Envoy will timeout on the protocol detection after + the specified period, defaulting to non mTLS plain TCP + traffic. Set this field to tweak the period that Envoy will wait + for the client to send the first bits of data. (MUST BE >=1ms or + 0s to disable). Default detection timeout is 0s (no timeout). + + + Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit + occasionally, and when they occur the result is typically broken traffic that may not + recover on its own. Exceptionally high values might solve this, but injecting 60s delays + onto new connections is generally not tenable anyways. + type: string + proxyHttpPort: + description: Port on which Envoy should listen for HTTP PROXY + requests if set. + format: int32 + type: integer + proxyInboundListenPort: + description: |- + Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. + Default port is 15006. + format: int32 + type: integer + proxyListenPort: + description: |- + Port on which Envoy should listen for all outbound traffic to other services. + Default port is 15001. + format: int32 + type: integer + rootNamespace: + description: |- + The namespace to treat as the administrative root namespace for + Istio configuration. When processing a leaf namespace Istio will search for + declarations in that namespace first and if none are found it will + search in the root namespace. Any matching declaration found in the root + namespace is processed as if it were declared in the leaf namespace. + + + The precise semantics of this processing are documented on each resource + type. + type: string + serviceSettings: + description: Settings to be applied to select services. + items: + description: |- + Settings to be applied to select services. + + + For example, the following configures all services in namespace "foo" as well as the + "bar" service in namespace "baz" to be considered cluster-local: + + + ```yaml + serviceSettings: + - settings: + cluster_local: true + hosts: + - "*.foo.svc.cluster.local" + - "bar.baz.svc.cluster.local" + + + ``` + properties: + hosts: + description: |- + The services to which the Settings should be applied. Services are selected using the hostname + matching rules used by DestinationRule. + + + For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local + items: + type: string + type: array + settings: + description: The settings to apply to the selected services. + properties: + clusterLocal: + description: |- + If true, specifies that the client and service endpoints must reside in the same cluster. + By default, in multi-cluster deployments, the Istio control plane assumes all service + endpoints to be reachable from any client in any of the clusters which are part of the + mesh. This configuration option limits the set of service endpoints visible to a client + to be cluster scoped. + + + There are some common scenarios when this can be useful: + + + - A service (or group of services) is inherently local to the cluster and has local storage + for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). + - A mesh administrator wants to slowly migrate services to Istio. They might start by first + having services cluster-local and then slowly transition them to mesh-wide. They could do + this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group + (e.g. *.myns.svc.cluster.local). + + + By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all + services in the kube-system namespace to be cluster-local, unless explicitly overridden here. + type: boolean + type: object + type: object + type: array + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the socket + to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsDefaults: + description: |- + Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. + Currently, this supports configuration of ecdh_curves and cipher_suites only. + For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + trustDomain: + description: |- + The trust domain corresponds to the trust root of a system. + Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) + type: string + trustDomainAliases: + description: |- + The trust domain aliases represent the aliases of `trust_domain`. + For example, if we have + ```yaml + trustDomain: td1 + trustDomainAliases: ["td2", "td3"] + ``` + Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, + or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. + items: + type: string + type: array + verifyCertificateAtClient: + description: |- + `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation + at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination + modes are used. This setting can be overridden at the host level via DestinationRule API. + By default, `VerifyCertificateAtClient` is `true`. + + + `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset, + and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and + `VerifyCertificateAtClient` is false, proxy will not verify the CA. + + + `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset, + and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs. + If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs. + + + For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level + wildcard if the specified host in DestinationRule doesn't contain a wildcard. + For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will + match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate. + For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, + if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches + “.x.y.com` suffix. + + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + type: object + pilot: + description: Configuration for the Pilot component. + properties: + affinity: + description: K8s affinity to set on the Pilot Pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + autoscaleBehavior: + description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + properties: + scaleDown: + description: |- + scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down to minReplicas pods, with a + 300 second stabilization window (i.e., the highest recommendation for + the last 300sec is used). + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + type: object + scaleUp: + description: |- + scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: + * increase no more than 4 pods per 60 seconds + * double the number of pods per 60 seconds + No stabilization is used. + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + type: object + type: object + autoscaleEnabled: + description: Controls whether a HorizontalPodAutoscaler is + installed for Pilot. + type: boolean + autoscaleMax: + description: Maximum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + autoscaleMin: + description: Minimum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + cni: + description: Configures whether to use an existing CNI installation + for workloads + properties: + chained: + description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + type: boolean + enabled: + description: Controls whether CNI should be used. + type: boolean + provider: + description: |- + Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation + `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition + type: string + type: object + configMap: + description: |- + Configuration settings passed to Pilot as a ConfigMap. + + + This controls whether the mesh config map, generated from values.yaml is generated. + If false, pilot wil use default values or user-supplied values, in that order of preference. + type: boolean + configNamespace: + description: Namespace that the configuration management feature + is installed into, if different from Pilot namespace. + type: string + configSource: + description: |- + ConfigSource describes a source of configuration data for networking + rules, and other Istio configuration artifacts. Multiple data sources + can be configured for a single control plane. + properties: + subscribedResources: + description: Describes the source of configuration, if + nothing is specified default is MCP. + items: + type: string + type: array + type: object + cpu: + description: |- + Target CPU utilization used in HorizontalPodAutoscaler. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + deploymentLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot deployment. + + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + enableProtocolSniffingForInbound: + description: |- + Specifies whether protocol sniffing is enabled for inbound traffic. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + enableProtocolSniffingForOutbound: + description: |- + Specifies whether protocol sniffing is enabled for outbound traffic. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + enabled: + description: Controls whether Pilot is enabled. + type: boolean + env: + additionalProperties: + type: string + description: "Environment variables passed to the Pilot container.\n\n\nExamples:\nenv:\n\n\n\tENV_VAR_1: + value1\n\tENV_VAR_2: value2" + type: object + extraContainerArgs: + description: Additional container arguments for the Pilot + container. + items: + type: string + type: array + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name used for Pilot. + + + This can be set either to image name if hub is also set, or can be set to the full hub:name string. + + + Examples: custom-pilot, docker.io/someuser:custom-pilot + type: string + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + jwksResolverExtraRootCA: + description: |- + Specifies an extra root certificate in PEM format. This certificate will be trusted + by pilot when resolving JWKS URIs. + type: string + keepaliveMaxServerConnectionAge: + description: |- + Maximum duration that a sidecar can be connected to a pilot. + + + This setting balances out load across pilot instances, but adds some resource overhead. + + + Examples: 300s, 30m, 1h + type: string + memory: + description: |- + Target memory utilization used in HorizontalPodAutoscaler. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + K8s node selector. + + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: object + podAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for pods. + + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: object + podLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot pods. + + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + replicaCount: + description: |- + Number of replicas in the Pilot Deployment. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + rollingMaxSurge: + anyOf: + - type: integer + - type: string + description: |- + K8s rolling update strategy + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + x-kubernetes-int-or-string: true + rollingMaxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The number of pods that can be unavailable during a rolling update (see + `strategy.rollingUpdate.maxUnavailable` here: + https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). + May be specified as a number of pods or as a percent of the total number + of pods at the start of the update. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + x-kubernetes-int-or-string: true + seccompProfile: + description: |- + The seccompProfile for the Pilot container. + + + See: https://kubernetes.io/docs/tutorials/security/seccomp/ + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + serviceAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for the Service. + + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + tag: + anyOf: + - type: integer + - type: string + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + x-kubernetes-int-or-string: true + tolerations: + description: |- + The node tolerations to be applied to the Pilot deployment so that it can be + scheduled to particular nodes with matching taints. + More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: The k8s topologySpreadConstraints for the Pilot + pods. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + traceSampling: + description: |- + Trace sampling fraction. + + + Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. + + + Allowed values: 0.0 to 1.0 + type: number + useMCP: + description: |- + Controls whether Pilot is configured through the Mesh Control Protocol (MCP). + + + If set to true, Pilot requires an MCP server (like Galley) to be installed. + type: boolean + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + volumeMounts: + description: Additional volumeMounts to add to the Pilot container. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + + If ReadOnly is false, this field has no meaning and must be unspecified. + + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + description: Additional volumes to add to the Pilot Pod. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass + will be applied to the claim but it's not allowed to reset this field to empty string once it is set. + If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass + will be set by the persistentvolume controller if it exists. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md + properties: + endpoints: + description: |- + endpoints is the endpoint name that details Glusterfs topology. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- + TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not + mount host directories as read/write. + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://examples.k8s.io/volumes/iscsi/README.md + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: sources is the list of volume projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem from compromising the machine + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + TODO: Add other useful fields. apiVersion, kind, uid? + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + profile: + description: Specifies which installation configuration profile + to apply. + type: string + revision: + description: Identifies the revision this installation is associated + with. + type: string + revisionTags: + description: |- + Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration + is created for each alias. + items: + type: string + type: array + sidecarInjectorWebhook: + description: Configuration for the sidecar injector webhook. + properties: + alwaysInjectSelector: + description: See NeverInjectSelector. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + defaultTemplates: + description: 'defaultTemplates: ["sidecar", "hello"]' + items: + type: string + type: array + enableNamespacesByDefault: + description: Enables sidecar auto-injection in namespaces + by default. + type: boolean + injectedAnnotations: + additionalProperties: + type: string + description: |- + injectedAnnotations are additional annotations that will be added to the pod spec after injection + This is primarily to support PSP annotations. + type: object + injectionURL: + description: Configure the injection url for sidecar injector + webhook + type: string + neverInjectSelector: + description: |- + Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods. + + + Annotations in the pods have higher precedence than the label selectors. + Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy. + See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + reinvocationPolicy: + description: 'Setting this to `IfNeeded` will result in the + sidecar injector being run again if additional mutations + occur. Default: Never' + type: string + rewriteAppHTTPProbe: + description: If true, webhook or istioctl injector will rewrite + PodSpec for liveness health check to redirect request to + sidecar. This makes liveness check work even when mTLS is + enabled. + type: boolean + templates: + additionalProperties: + type: string + description: "Templates defines a set of custom injection + templates that can be used. For example, defining:\n\n\ntemplates:\n\n\n\thello: + |\n\t metadata:\n\t labels:\n\t hello: world\n\n\nThen + starting a pod with the `inject.istio.io/templates: hello` + annotation, will result in the pod\nbeing injected with + the hello=world labels.\nThis is intended for advanced configuration + only; most users should use the built in template" + type: object + useLegacySelectors: + description: |- + If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook + requests in Istiod, rather than at the webhook selection level. + This is option is intended for migration purposes only and will be removed in Istio 1.10. + + + Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + type: boolean + type: object + telemetry: + description: Controls whether telemetry is exported for Pilot. + properties: + enabled: + description: Controls whether telemetry is exported for Pilot. + type: boolean + v2: + description: Configuration for Telemetry v2. + properties: + enabled: + description: Controls whether pilot will configure telemetry + v2. + type: boolean + prometheus: + description: Telemetry v2 settings for prometheus. + properties: + enabled: + description: Controls whether stats envoyfilter would + be enabled or not. + type: boolean + type: object + stackdriver: + description: Telemetry v2 settings for stackdriver. + properties: + enabled: + type: boolean + type: object + type: object + type: object + type: object + version: + default: v1.22.3 + description: |- + Defines the version of Istio to install. + Must be one of: v1.22.3, v1.22.2, v1.22.1, v1.22.0, v1.21.5, v1.21.4, v1.21.3, v1.21.2, v1.21.0, latest. + enum: + - v1.22.3 + - v1.22.2 + - v1.22.1 + - v1.22.0 + - v1.21.5 + - v1.21.4 + - v1.21.3 + - v1.21.2 + - v1.21.0 + - latest + type: string + required: + - namespace + - version + type: object + x-kubernetes-validations: + - message: spec.values.global.istioNamespace must match spec.namespace + rule: '!has(self.values) || !has(self.values.global) || !has(self.values.global.istioNamespace) + || self.values.global.istioNamespace == self.__namespace__' + status: + description: IstioStatus defines the observed state of Istio + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: IstioCondition represents a specific observation of + the IstioCondition object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + Istio object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + revisions: + description: Reports information about the underlying IstioRevisions. + properties: + inUse: + description: Number of IstioRevisions that are currently in use. + format: int32 + type: integer + ready: + description: Number of IstioRevisions that are Ready. + format: int32 + type: integer + total: + description: Total number of IstioRevisions currently associated + with this Istio. + format: int32 + type: integer + required: + - inUse + - ready + - total + type: object + state: + description: Reports the current state of the object. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/sail-operator-metrics-service_v1_service.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/sail-operator-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..a9c8664cd28 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/sail-operator-metrics-service_v1_service.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: sailoperator + app.kubernetes.io/instance: sail-operator-metrics-service + app.kubernetes.io/managed-by: helm + app.kubernetes.io/name: service + app.kubernetes.io/part-of: sailoperator + control-plane: sail-operator + name: sail-operator-metrics-service +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/created-by: sailoperator + app.kubernetes.io/part-of: sailoperator + control-plane: sail-operator +status: + loadBalancer: {} diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/sailoperator.clusterserviceversion.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/sailoperator.clusterserviceversion.yaml new file mode 100644 index 00000000000..f02f62df7af --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/sailoperator.clusterserviceversion.yaml @@ -0,0 +1,678 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "operator.istio.io/v1alpha1", + "kind": "Istio", + "metadata": { + "name": "default" + }, + "spec": { + "namespace": "istio-system", + "updateStrategy": { + "inactiveRevisionDeletionGracePeriodSeconds": 30, + "type": "InPlace" + }, + "version": "v1.22.3" + } + }, + { + "apiVersion": "operator.istio.io/v1alpha1", + "kind": "IstioCNI", + "metadata": { + "name": "default" + }, + "spec": { + "namespace": "istio-cni", + "version": "v1.22.3" + } + } + ] + capabilities: Seamless Upgrades + categories: OpenShift Optional, Integration & Delivery, Networking, Security + containerImage: quay.io/maistra-dev/sail-operator:0.1-nightly-2024-08-06 + createdAt: "2024-08-06T03:38:51Z" + description: Experimental operator for installing Istio service mesh + features.operators.openshift.io/cnf: "false" + features.operators.openshift.io/cni: "true" + features.operators.openshift.io/csi: "false" + features.operators.openshift.io/disconnected: "true" + features.operators.openshift.io/fips-compliant: "false" + features.operators.openshift.io/proxy-aware: "false" + features.operators.openshift.io/tls-profiles: "false" + features.operators.openshift.io/token-auth-aws: "false" + features.operators.openshift.io/token-auth-azure: "false" + features.operators.openshift.io/token-auth-gcp: "false" + operators.operatorframework.io/builder: operator-sdk-v1.35.0 + operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]' + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 + repository: https://github.com/istio-ecosystem/sail-operator + support: Community based + name: sailoperator.v0.1.0-nightly-2024-08-06 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - kind: WasmPlugin + name: wasmplugins.extensions.istio.io + version: v1alpha1 + - kind: DestinationRule + name: destinationrules.networking.istio.io + version: v1 + - kind: DestinationRule + name: destinationrules.networking.istio.io + version: v1alpha3 + - kind: DestinationRule + name: destinationrules.networking.istio.io + version: v1beta1 + - kind: EnvoyFilter + name: envoyfilters.networking.istio.io + version: v1alpha3 + - kind: Gateway + name: gateways.networking.istio.io + version: v1 + - kind: Gateway + name: gateways.networking.istio.io + version: v1alpha3 + - kind: Gateway + name: gateways.networking.istio.io + version: v1beta1 + - kind: ProxyConfig + name: proxyconfigs.networking.istio.io + version: v1beta1 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1alpha3 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1beta1 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1alpha3 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1beta1 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1alpha3 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1beta1 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1alpha3 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1beta1 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1alpha3 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1beta1 + - kind: AuthorizationPolicy + name: authorizationpolicies.security.istio.io + version: v1 + - kind: AuthorizationPolicy + name: authorizationpolicies.security.istio.io + version: v1beta1 + - kind: PeerAuthentication + name: peerauthentications.security.istio.io + version: v1 + - kind: PeerAuthentication + name: peerauthentications.security.istio.io + version: v1beta1 + - kind: RequestAuthentication + name: requestauthentications.security.istio.io + version: v1 + - kind: RequestAuthentication + name: requestauthentications.security.istio.io + version: v1beta1 + - kind: Telemetry + name: telemetries.telemetry.istio.io + version: v1 + - kind: Telemetry + name: telemetries.telemetry.istio.io + version: v1alpha1 + - description: IstioCNI represents a deployment of the Istio CNI component. + displayName: Istio CNI + kind: IstioCNI + name: istiocnis.operator.istio.io + specDescriptors: + - description: 'Defines the version of Istio to install. Must be one of: v1.22.3, + v1.22.2, v1.22.1, v1.22.0, v1.21.5, v1.21.4, v1.21.3, v1.21.2, v1.21.0, + latest.' + displayName: Istio Version + path: version + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.1 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.0 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.0 + - urn:alm:descriptor:com.tectonic.ui:select:latest + - description: Namespace to which the Istio CNI component should be installed. + displayName: Namespace + path: namespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: 'The built-in installation configuration profile to use. The + ''default'' profile is always applied. On OpenShift, the ''openshift'' profile + is also applied on top of ''default''. Must be one of: ambient, default, + demo, empty, external, minimal, openshift-ambient, openshift, preview, remote, + stable.' + displayName: Profile + path: profile + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:hidden + - description: Defines the values to be passed to the Helm charts when installing + Istio CNI. + displayName: Helm Values + path: values + version: v1alpha1 + - description: IstioRevision represents a single revision of an Istio Service + Mesh deployment. Users shouldn't create IstioRevision objects directly. Instead, + they should create an Istio object and allow the operator to create the underlying + IstioRevision object(s). + displayName: Istio Revision + kind: IstioRevision + name: istiorevisions.operator.istio.io + specDescriptors: + - description: 'Defines the version of Istio to install. Must be one of: v1.22.3, + v1.22.2, v1.22.1, v1.22.0, v1.21.5, v1.21.4, v1.21.3, v1.21.2, v1.21.0, + latest.' + displayName: Istio Version + path: version + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.1 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.0 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.0 + - urn:alm:descriptor:com.tectonic.ui:select:latest + - description: Namespace to which the Istio components should be installed. + displayName: Namespace + path: namespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: Defines the values to be passed to the Helm charts when installing + Istio. + displayName: Helm Values + path: values + version: v1alpha1 + - description: Istio represents an Istio Service Mesh deployment consisting of + one or more control plane instances (represented by one or more IstioRevision + objects). To deploy an Istio Service Mesh, a user creates an Istio object + with the desired Istio version and configuration. The operator then creates + an IstioRevision object, which in turn creates the underlying Deployment objects + for istiod and other control plane components, similar to how a Deployment + object in Kubernetes creates ReplicaSets that create the Pods. + displayName: Istio + kind: Istio + name: istios.operator.istio.io + specDescriptors: + - description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\". + When the \"InPlace\" strategy is used, the existing Istio control plane + is updated in-place. The workloads therefore don't need to be moved from + one control plane instance to another. When the \"RevisionBased\" strategy + is used, a new Istio control plane instance is created for every change + to the Istio.spec.version field. The old control plane remains in place + until all workloads have been moved to the new control plane instance. \n + The \"InPlace\" strategy is the default.\tTODO: change default to \"RevisionBased\"" + displayName: Type + path: updateStrategy.type + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:select:InPlace + - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased + - description: 'Defines the version of Istio to install. Must be one of: v1.22.3, + v1.22.2, v1.22.1, v1.22.0, v1.21.5, v1.21.4, v1.21.3, v1.21.2, v1.21.0, + latest.' + displayName: Istio Version + path: version + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.1 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.0 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.0 + - urn:alm:descriptor:com.tectonic.ui:select:latest + - description: Defines how many seconds the operator should wait before removing + a non-active revision after all the workloads have stopped using it. You + may want to set this value on the order of minutes. The minimum and the + default value is 30. + displayName: Inactive Revision Deletion Grace Period (seconds) + path: updateStrategy.inactiveRevisionDeletionGracePeriodSeconds + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: Defines whether the workloads should be moved from one control + plane instance to another automatically. If updateWorkloads is true, the + operator moves the workloads from the old control plane instance to the + new one after the new control plane is ready. If updateWorkloads is false, + the user must move the workloads manually by updating the istio.io/rev labels + on the namespace and/or the pods. Defaults to false. + displayName: Update Workloads Automatically + path: updateStrategy.updateWorkloads + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Namespace to which the Istio components should be installed. + displayName: Namespace + path: namespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: 'The built-in installation configuration profile to use. The + ''default'' profile is always applied. On OpenShift, the ''openshift'' profile + is also applied on top of ''default''. Must be one of: ambient, default, + demo, empty, external, minimal, openshift-ambient, openshift, preview, remote, + stable.' + displayName: Profile + path: profile + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:hidden + - description: Defines the update strategy to use when the version in the Istio + CR is updated. + displayName: Update Strategy + path: updateStrategy + - description: Defines the values to be passed to the Helm charts when installing + Istio. + displayName: Helm Values + path: values + version: v1alpha1 + description: |- + This is an experimental operator for installing Istio service mesh. + + This version of the operator supports the following Istio versions: + + - v1.22.3 + - v1.22.2 + - v1.22.1 + - v1.22.0 + - v1.21.5 + - v1.21.4 + - v1.21.3 + - v1.21.2 + - v1.21.0 + - latest (52c90974) + + [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. + displayName: Sail Operator + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAACXBIWXMAAAFiAAABYgFfJ9BTAAAHL0lEQVR4nO2du24bRxSGz5LL+01kaMuX2HShnmlSi2VUBM4bKG/gdGFnl+rsBwggvUHUsTT9AIGdnoWCIIWNIJZNWKLM5Uww1K4sC6JEQrP7z8yeDyDYCHuG3F/nNmeWnpSSTMXvD3tE9Ey9gp3e0NiFWkzGgqVvEtFLvz/c8/vDNQPW4xQ2CCBim4gO/P7wFzOW4wY2CUDRIKLnfn/4xu8PvzNgPdZjmwAiukT02u8Pn5mxHHuxVQART9kb3AzbBUDsDW6GFgEMRuNHwM8QobzBkCuF1dDlAfYGo/GeAULYDCuFHngd1qAzBKgy7c1gNEa74kbYN+CQsAS6cwD15T8djMZKCOj/QhUS9jkkXE1cSaBKzF4ORuMXg9EYeQMeE9GQq4TFxF0FPAnDAtIbdEMRcF5wCUmUgZ3QGyBjcpQX/Axcg5Ek2QeIcgNkpbDLyeHXJN0I6oYh4aeE7Z5HJYd7QPtGgegEKnf8OzgkbLMITkG2glVI2AdWCXMRpL1MRO8FzMs0pAjCCiG1IjBhM0jlBQeD0RhVq3fTLAJTdgMboSeAigBkG4pJ28FKBK8HozGqVu+mMTE0cR5gFyiC1FUHpg6EsAgSwuSJoN3t7+//ALK9nZbpY6NHwh7drf8qG+VjkPnnadg7MFoA+bxPYn2tBBTBrutbyVYMhc5FUMihzDs9T2DNVLB42D4GiUCVp862jO0ZC/e8knjYnlAGsmTVKHKyMrDrXIDnFWedW/+BRPDYxVkC+w6G5LItca/5L8i6miVAzjJox8qTQbJcaIt2/QPIvMoHTDgIowVrj4bJVrUhq8UjgGmVFO4D7MaC1WcDxd2mR7kswrTaOHqBMKwbuw+Hel5p9m0blRQ+cWHU3P7TwSopvFVHJYXWnzxy4Xg4yUa5DcwHrO4POCEAOs0HMsD+gLWloTMCUE0i8eAbVCiwtlXsjgBUKCjk2rJZnQBMWxsKnBKAQrRrAlQaWhkKnBMAeV5Z3GtxKFgS9wQQhQLMEIkKBVY1iJwUgELcbnigqmDbpgaRswKYVwV31t6CrFvjBdwVgAoF1eK6LBcQpru2TBU7LQCFuLOGSgif2ZAQOi8A8rOcEF6B+wLAJ4RGTxSnQgDzhLBVRU0QGe0F0iEAlRA2KzlQh3DT5LIwNQKYdwhvNbgsvEB6BBCWhcARMiPPGaZKAAqgFzDyTEHqBAD0Ah0TvUDqBEDsBb4ilQJgL/CFVAqA2AuckVoBsBc4JbUCUIhGBdUdNMYLpFoAslnJg/YIOqbMD6ZaAOpomawVUc8fMmJeIN0CmE8R1z+DTBuxR5B6AVA2o46Zo6zDk0EWwOmzBv4Gmd5GP2yCBaAEUMw/AJWEhPYCLIAQYEkITQZZACFyrSxAphvIxhALICKTaaYxGWQBnEM2yqhkcBM1PMoCOIesFB+AOoOEygVYABcAdgYhrWEWwAVEq4YSACQZZAFcJJdtAXsCiXsBFsAlyFrpPcj046Q7gyyASxBrlRnQfKJegAVwGX62nZbWMAtgAcAw0E2yJ8ACWIColxFPHo1IzAuwABaR9+8Dm0KJ5QEsgCsANoU6SYUBFsAVyGoR9XgZSioMsACuQP00DdB8ImGABXAVamoY94OViYQBFsA1yHoJdYRMEfvUMAvgGmSlGADNx54HsACuA1sOduPeG2ABLIEs55HmYw0DLIAlkNXiP0DzsVYDLIAlkKU8Mg9gDwAn53eAS2jEeYaQBbAkoKeOR7AA0MhKAdkPiC0PYAEsSymPOkZOYTkYy6PnWQBLon6HCLyEWMIAC2BZPK8EHBMjFoABADeGiAVgALJc+Au4iljyABbAKhRz6O9LuxdgAayAzPtV8BK0zwewAFYhk2mCV8AeAA24I7ip+4IsgFXJZVGTwnN0j4mxAFZEFnLvwEtgAUBxrBJgAayIzGZQTxOLYA8Axc/eAa+gq/Nivs6LOUMwe0tCBt7RSUBSFr1PJ+vqo3lHJ+oNWgZQmAgGO703Wq6l4yLWoW6wlBPv+LMf3ugOCUneZEok5h5+3fCPpMIAC2AhQrynmfjofQ4yNJ0J72R6m6azkjcNiKbzh3+YfoOvQ9uouJ0CkPKYgtk7byYyNJkKL5jVaTJt0kyQdzJVf9EMX66irRIwWQCv3n+ctLzDT/WzOPzlBpfU2Tn8EmE44QH+JKLDMJadvW9t1IbRH/z42x+9DNFL4BpNRZv44xSA2js/OPc6u9FbG7XDGO2mAjUqHuz0hjf9rLoEsBe+5jd8a6N2oOm6zGK0DIdoEcDWRm1Px3WYlVCl4P5NvzLuBNqLFg/AArAXLXsC3Ao2m0srJfUe7PS0JNIsACwXK6WzV7DTSySRZgHEy4fL/nuTvMHXwQK4Oa/CKwzP32hdu3VxwwK4notxeN580dGEMQEWwJc4HFuiZTJpEEAUh2GJlsm4IIBFiZY1cRiJLQI4n2iRa3EYBhH9D18eNW58bi76AAAAAElFTkSuQmCC + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + resources: + - '*' + verbs: + - '*' + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - '*' + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - '*' + - apiGroups: + - networking.istio.io + resources: + - envoyfilters + verbs: + - '*' + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - '*' + - apiGroups: + - operator.istio.io + resources: + - istiorevisions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.istio.io + resources: + - istiorevisions/finalizers + verbs: + - update + - apiGroups: + - operator.istio.io + resources: + - istiorevisions/status + verbs: + - get + - patch + - update + - apiGroups: + - operator.istio.io + resources: + - istiocnis + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.istio.io + resources: + - istiocnis/finalizers + verbs: + - update + - apiGroups: + - operator.istio.io + resources: + - istiocnis/status + verbs: + - get + - patch + - update + - apiGroups: + - operator.istio.io + resources: + - istios + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operator.istio.io + resources: + - istios/finalizers + verbs: + - update + - apiGroups: + - operator.istio.io + resources: + - istios/status + verbs: + - get + - patch + - update + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - '*' + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + serviceAccountName: sail-operator + deployments: + - label: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: sailoperator + app.kubernetes.io/instance: sail-operator + app.kubernetes.io/managed-by: helm + app.kubernetes.io/name: deployment + app.kubernetes.io/part-of: sailoperator + control-plane: sail-operator + name: sail-operator + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/created-by: sailoperator + app.kubernetes.io/part-of: sailoperator + control-plane: sail-operator + strategy: {} + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + app.kubernetes.io/created-by: sailoperator + app.kubernetes.io/part-of: sailoperator + control-plane: sail-operator + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --default-profile=openshift + command: + - /manager + image: quay.io/maistra-dev/sail-operator:0.1-nightly-2024-08-06 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /etc/sail-operator + name: operator-config + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: sail-operator + terminationGracePeriodSeconds: 10 + volumes: + - downwardAPI: + defaultMode: 420 + items: + - fieldRef: + fieldPath: metadata.annotations + path: config.properties + name: operator-config + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: sail-operator + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - istio + - servicemesh + - envoy + links: + - name: Istio Project + url: https://istio.io + maintainers: + - email: istio-feedback@redhat.com + name: OpenShift Service Mesh Team + maturity: alpha + provider: + name: Red Hat, Inc. + version: 0.1.0-nightly-2024-08-06 diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_authorizationpolicies.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_authorizationpolicies.yaml new file mode 100644 index 00000000000..a7789d9b7c2 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_authorizationpolicies.yaml @@ -0,0 +1,591 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + shortNames: + - ap + singular: authorizationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_peerauthentications.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_peerauthentications.yaml new file mode 100644 index 00000000000..0d697f5ee60 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_peerauthentications.yaml @@ -0,0 +1,215 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_requestauthentications.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_requestauthentications.yaml new file mode 100644 index 00000000000..c3db612f890 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/security.istio.io_requestauthentications.yaml @@ -0,0 +1,465 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/telemetry.istio.io_telemetries.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/telemetry.istio.io_telemetries.yaml new file mode 100644 index 00000000000..57ca5a963e1 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/manifests/telemetry.istio.io_telemetries.yaml @@ -0,0 +1,781 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + creationTimestamp: null + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/metadata/annotations.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/metadata/annotations.yaml new file mode 100644 index 00000000000..42138841ccf --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/metadata/annotations.yaml @@ -0,0 +1,14 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: sailoperator + operators.operatorframework.io.bundle.channels.v1: "0.1-nightly" + operators.operatorframework.io.metrics.builder: operator-sdk-v1.35.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4 + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/sailoperator/0.1.0-nightly-2024-08-06/tests/scorecard/config.yaml b/operators/sailoperator/0.1.0-nightly-2024-08-06/tests/scorecard/config.yaml new file mode 100644 index 00000000000..1b077d89075 --- /dev/null +++ b/operators/sailoperator/0.1.0-nightly-2024-08-06/tests/scorecard/config.yaml @@ -0,0 +1,60 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.35.0 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.35.0 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.35.0 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.35.0 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.35.0 + labels: + suite: olm + test: olm-status-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}