diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml index d1dac7477c..ac936f3f77 100644 --- a/.github/workflows/pss_test.yaml +++ b/.github/workflows/pss_test.yaml @@ -33,16 +33,6 @@ jobs: - name: Install Istio CNI run: ./tests/gh-actions/install_istio-cni.sh - - name: Configure istio init container with seccompProfile attribute - run: | - kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml - sed -i '0,/runAsNonRoot: true/{s//&\n seccompProfile:\n type: RuntimeDefault/}' temporary_patch.yaml - sed -i '/runAsNonRoot: true/{N; /runAsUser: {{ .ProxyUID | default "1337" }}/a\ - seccompProfile:\n type: RuntimeDefault - }' temporary_patch.yaml - kubectl apply -f temporary_patch.yaml - rm temporary_patch.yaml - - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/common/istio-1-23/istio-install/base/install.yaml b/common/istio-1-23/istio-install/base/install.yaml index 59d77f1575..2055307368 100644 --- a/common/istio-1-23/istio-install/base/install.yaml +++ b/common/istio-1-23/istio-install/base/install.yaml @@ -2336,7 +2336,9 @@ data: values: |- { "gateways": { - "seccompProfile": {}, + "seccompProfile": { + "type": RuntimeDefault + }, "securityContext": {} }, "global": { diff --git a/common/istio-1-23/profile.yaml b/common/istio-1-23/profile.yaml index 077b0c86d2..2c8cab15a5 100644 --- a/common/istio-1-23/profile.yaml +++ b/common/istio-1-23/profile.yaml @@ -14,12 +14,14 @@ spec: enabled: true hub: docker.io/istio profile: default - tag: 1.23.2 + tag: 1.24.2 values: defaultRevision: "" gateways: istio-egressgateway: {} istio-ingressgateway: {} + seccompProfile: + type: RuntimeDefault global: configValidation: true istioNamespace: istio-system diff --git a/common/istio-1-24/README.md b/common/istio-1-24/README.md new file mode 100644 index 0000000000..d64912b336 --- /dev/null +++ b/common/istio-1-24/README.md @@ -0,0 +1,94 @@ +# Istio + +## Upgrade Istio Manifests + +Istio ships with an installer called `istioctl`, which is a deployment / +debugging / configuration management tool for Istio all in one package. +In this section, we explain how to upgrade our istio kustomize packages +by leveraging `istioctl`. Assuming the new version is `X.Y.Z` and the +old version is `X1.Y1.Z1`: + +1. Make a copy of the old istio manifests tree, which will become the + kustomization for the new Istio version: + + $ export MANIFESTS_SRC= + $ export ISTIO_OLD=$MANIFESTS_SRC/common/istio-X1-Y1 + $ export ISTIO_NEW=$MANIFESTS_SRC/common/istio-X-Y + $ cp -a $ISTIO_OLD $ISTIO_NEW + +2. Download `istioctl` for version `X.Y.Z`: + + $ ISTIO_VERSION="X.Y.Z" + $ wget "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" + $ tar xvfz istio-${ISTIO_VERSION}-linux-amd64.tar.gz + # sudo mv istio-${ISTIO_VERSION}/bin/istioctl /usr/local/bin/istioctl + +3. Use `istioctl` to generate an `IstioOperator` resource, the + CustomResource used to describe the Istio Control Plane: + + $ cd $ISTIO_NEW + $ istioctl profile dump default > profile.yaml + + --- + **NOTE** + + `istioctl` comes with a bunch of [predefined profiles](https://istio.io/latest/docs/setup/additional-setup/config-profiles/) + (`default`, `demo`, `minimal`, etc.). The `default` profile is installed by default. + + --- + +4. Generate manifests and add them to their respective packages. We + will generate manifests using `istioctl`, the + `profile.yaml` file from upstream and the + `profile-overlay.yaml` file that contains our desired + changes: + + $ export PATH="$MANIFESTS_SRC/scripts:$PATH" + $ cd $ISTIO_NEW + $ istioctl manifest generate --cluster-specific -f profile.yaml -f profile-overlay.yaml > dump.yaml + $ ./split-istio-packages -f dump.yaml + $ mv $ISTIO_NEW/crd.yaml $ISTIO_NEW/istio-crds/base + $ mv $ISTIO_NEW/install.yaml $ISTIO_NEW/istio-install/base + $ mv $ISTIO_NEW/cluster-local-gateway.yaml $ISTIO_NEW/cluster-local-gateway/base + $ rm dump.yaml + + --- + **NOTE** + + `split-istio-packages` is a python script in the same folder as this file. + The `ruamel.yaml` version used is 0.16.12. + + `--cluster-specific` is a flag that determines if a current K8s cluster context will be used to dynamically + detect default settings. Ensure you have a target cluster ready before running the above commands. + We set this flag because `istioctl manifest generate` generates manifest files with resources that are no + longer supported in Kubernetes 1.25 (`policy/v1beta1`). See: https://github.com/istio/istio/issues/41220 + + --- + +## Changes to Istio's upstream manifests + +### Changes to the upstream IstioOperator profile + +Changes to Istio's upstream profile `default` are the following: + +- Add a `cluster-local-gateway` component for Kserve. Knative-local-gateway is now obsolete https://github.com/kubeflow/manifests/pull/2355/commits/adc00b804404ea08685a044ae595be0bed9adb59. +- Disable the EgressGateway component. We do not use it and it adds unnecessary complexity. + +Those changes are captured in the [profile-overlay.yaml](profile-overlay.yaml) +file. + +### Changes to the upstream manifests using kustomize + +The Istio kustomizations make the following changes: + +- Remove PodDisruptionBudget from `istio-install` and `cluster-local-gateway` kustomizations. See: + - https://github.com/istio/istio/issues/12602 + - https://github.com/istio/istio/issues/24000 +- Add Istio AuthorizationPolicy to allow all requests to the Istio Ingressgateway and the Istio cluster-local gateway. +- Add Istio AuthorizationPolicy in Istio's root namespace, so that sidecars deny traffic by default (explicit deny-by-default authorization model). +- Add Gateway CRs for the Istio Ingressgateway and the Istio cluster-local gateway, as `istioctl` stopped generating them in later versions. +- Add the istio-system namespace object to `istio-namespace`, as `istioctl` stopped generating it in later versions. +- Configure TCP KeepAlives. +- Disable tracing as it causes DNS breakdown. See: + https://github.com/istio/istio/issues/29898 +- Set ENABLE_DEBUG_ON_HTTP=false according to https://istio.io/latest/docs/ops/best-practices/security/#control-plane diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml similarity index 81% rename from common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml rename to common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml index 45441c6a4f..174f22965d 100644 --- a/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -3,6 +3,12 @@ kind: ServiceAccount metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -16,6 +22,12 @@ kind: Deployment metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -42,7 +54,13 @@ spec: sidecar.istio.io/inject: 'false' labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 chart: gateways + helm.sh/chart: istio-ingress-1.24.2 heritage: Tiller install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway @@ -109,7 +127,8 @@ spec: - name: ISTIO_META_WORKLOAD_NAME value: cluster-local-gateway - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway + value: + kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN @@ -122,7 +141,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.23.2 + image: gcr.io/istio-testing/proxyv2:1.24.2 name: istio-proxy ports: - containerPort: 15020 @@ -235,6 +254,12 @@ kind: PodDisruptionBudget metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -253,6 +278,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: IngressGateways @@ -273,6 +304,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: IngressGateways @@ -292,6 +329,12 @@ kind: HorizontalPodAutoscaler metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -320,6 +363,12 @@ metadata: annotations: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -331,11 +380,9 @@ spec: ports: - name: status-port port: 15020 - protocol: TCP targetPort: 15020 - name: http2 port: 80 - protocol: TCP targetPort: 8080 selector: app: cluster-local-gateway diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml b/common/istio-1-24/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml rename to common/istio-1-24/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-24/cluster-local-gateway/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml rename to common/istio-1-24/cluster-local-gateway/base/kustomization.yaml diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml diff --git a/common/istio-cni-1-23/istio-crds/base/crd.yaml b/common/istio-1-24/istio-crds/base/crd.yaml similarity index 84% rename from common/istio-cni-1-23/istio-crds/base/crd.yaml rename to common/istio-1-24/istio-crds/base/crd.yaml index 33de713fcc..f194ef7520 100644 --- a/common/istio-cni-1-23/istio-crds/base/crd.yaml +++ b/common/istio-1-24/istio-crds/base/crd.yaml @@ -4,11 +4,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: authorizationpolicies.security.istio.io spec: group: security.istio.io @@ -256,9 +256,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -290,12 +291,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -535,9 +609,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -569,12 +644,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -590,10 +738,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: destinationrules.networking.istio.io spec: group: networking.istio.io @@ -931,8 +1080,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -1277,9 +1452,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -1771,8 +1971,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -2111,8 +2335,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -2350,6 +2600,74 @@ spec: - host type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -2679,8 +2997,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -3025,9 +3369,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -3519,8 +3888,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -3859,8 +4252,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -4098,6 +4517,74 @@ spec: - host type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -4427,8 +4914,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -4773,9 +5286,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -5267,8 +5805,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -5607,8 +6169,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -5846,7 +6434,75 @@ spec: - host type: object status: - type: object + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object served: true @@ -5861,10 +6517,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: envoyfilters.networking.istio.io spec: group: networking.istio.io @@ -6156,9 +6813,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -6166,13 +6825,89 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6188,10 +6923,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: gateways.networking.istio.io spec: group: networking.istio.io @@ -6361,6 +7097,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6522,6 +7326,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6683,6 +7555,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6698,11 +7638,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: peerauthentications.security.istio.io spec: group: security.istio.io @@ -6802,6 +7742,74 @@ spec: rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6893,6 +7901,74 @@ spec: rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6908,10 +7984,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: proxyconfigs.networking.istio.io spec: group: networking.istio.io @@ -6974,6 +8051,74 @@ spec: type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6989,11 +8134,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: requestauthentications.security.istio.io spec: group: security.istio.io @@ -7175,9 +8320,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -7209,15 +8355,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -7391,9 +8607,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -7425,34 +8642,105 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: serviceentries.networking.istio.io spec: group: networking.istio.io @@ -7501,7 +8789,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7514,11 +8804,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7563,8 +8853,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7576,6 +8866,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7592,14 +8887,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7607,11 +8907,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7634,17 +8944,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7683,7 +9082,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7696,11 +9097,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7745,8 +9146,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7758,6 +9159,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7774,14 +9180,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7789,11 +9200,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7816,17 +9237,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7865,7 +9375,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7878,11 +9390,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7927,8 +9439,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7940,6 +9452,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7956,14 +9473,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7971,11 +9493,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7998,17 +9530,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -8022,10 +9643,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: sidecars.networking.istio.io spec: group: networking.istio.io @@ -8451,7 +10073,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -8489,13 +10112,86 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -8915,7 +10611,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -8953,13 +10650,86 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -9379,7 +11149,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -9417,39 +11188,112 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io - telemetry-istio-io kind: Telemetry listKind: TelemetryList @@ -9599,11 +11443,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -9677,9 +11521,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -9711,9 +11556,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array tracing: description: Optional. @@ -9825,7 +11672,78 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -9973,11 +11891,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -10051,9 +11969,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -10085,9 +12004,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array tracing: description: Optional. @@ -10199,7 +12120,78 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -10215,10 +12207,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: virtualservices.networking.istio.io spec: group: networking.istio.io @@ -11195,6 +13188,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -12163,6 +14224,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -13131,6 +15260,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -13146,10 +15343,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: wasmplugins.extensions.istio.io spec: group: extensions.istio.io @@ -13319,9 +15517,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -13353,9 +15552,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: description: |- @@ -13373,9 +15574,9 @@ spec: type: string x-kubernetes-validations: - message: url must have schema one of [http, https, file, oci] - rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\ - \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\ - \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])" + rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https', + 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme() + in ['', 'http', 'https', 'oci', 'file'])" verificationKey: type: string vmConfig: @@ -13409,8 +15610,8 @@ spec: type: object x-kubernetes-validations: - message: value may only be set when valueFrom is INLINE - rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\ - \ || !has(self.value)" + rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST' + || !has(self.value)" maxItems: 256 type: array x-kubernetes-list-map-keys: @@ -13420,7 +15621,78 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: @@ -13438,10 +15710,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: workloadentries.networking.istio.io spec: group: networking.istio.io @@ -13485,8 +15758,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13533,15 +15806,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13575,8 +15914,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13623,15 +15962,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13665,8 +16070,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13713,15 +16118,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true @@ -13733,10 +16204,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: workloadgroups.networking.istio.io spec: group: networking.istio.io @@ -13775,10 +16247,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13807,13 +16281,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13828,6 +16306,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13841,8 +16320,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13850,15 +16335,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13869,12 +16357,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13888,8 +16380,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13934,14 +16426,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -13970,10 +16532,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -14002,13 +16566,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -14023,6 +16591,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -14036,8 +16605,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -14045,15 +16620,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -14064,12 +16642,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -14083,8 +16665,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -14129,14 +16711,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -14165,10 +16817,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -14197,13 +16851,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -14218,6 +16876,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -14231,8 +16890,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -14240,15 +16905,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -14259,12 +16927,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -14278,8 +16950,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -14324,14 +16996,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/common/istio-cni-1-23/istio-crds/base/kustomization.yaml b/common/istio-1-24/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-crds/base/kustomization.yaml rename to common/istio-1-24/istio-crds/base/kustomization.yaml diff --git a/common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-24/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-1-24/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-cni-1-23/istio-install/base/gateway.yaml b/common/istio-1-24/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/gateway.yaml rename to common/istio-1-24/istio-install/base/gateway.yaml diff --git a/common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-24/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-1-24/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-1-24/istio-install/base/install.yaml b/common/istio-1-24/istio-install/base/install.yaml new file mode 100644 index 0000000000..3411bcd4ab --- /dev/null +++ b/common/istio-1-24/istio-install/base/install.yaml @@ -0,0 +1,3043 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + release: istio + name: istio-reader-service-account + namespace: istio-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istiod + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istio-reader-clusterrole-istio-system +rules: +- apiGroups: + - config.istio.io + - security.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + - telemetry.istio.io + - extensions.istio.io + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - endpoints + - pods + - services + - nodes + - replicationcontrollers + - namespaces + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + resources: + - workloadentries + verbs: + - get + - watch + - list +- apiGroups: + - networking.x-k8s.io + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - watch + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istiod-clusterrole-istio-system +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - update +- apiGroups: + - config.istio.io + - security.istio.io + - networking.istio.io + - authentication.istio.io + - rbac.istio.io + - telemetry.istio.io + - extensions.istio.io + resources: + - '*' + verbs: + - get + - watch + - list +- apiGroups: + - networking.istio.io + resources: + - workloadentries + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - networking.istio.io + resources: + - workloadentries/status + - serviceentries/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - security.istio.io + resources: + - authorizationpolicies/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' + resources: + - services/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - pods + - nodes + - services + - namespaces + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - '*' +- apiGroups: + - '' + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - gateway.networking.k8s.io + resources: + - '*' + verbs: + - get + - watch + - list +- apiGroups: + - gateway.networking.k8s.io + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: + - update + - patch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - update + - patch + - delete +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - watch + - list + - create + - delete +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istiod-gateway-controller-istio-system +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' + resources: + - services + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istio-reader-clusterrole-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole-istio-system +subjects: +- kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istiod-clusterrole-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole-istio-system +subjects: +- kind: ServiceAccount + name: istiod + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istiod-gateway-controller-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller-istio-system +subjects: +- kind: ServiceAccount + name: istiod + namespace: istio-system +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + istio: istiod + istio.io/rev: default + release: istio + name: istio-validator-istio-system +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: istiod + namespace: istio-system + path: /validate + failurePolicy: Ignore + name: rev.validation.istio.io + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + rules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + sideEffects: None +--- +apiVersion: v1 +data: + mesh: |- + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + defaultProviders: + metrics: + - prometheus + enablePrometheusMerge: true + rootNamespace: istio-system + tcpKeepalive: + interval: 5s + probes: 3 + time: 10s + trustDomain: cluster.local + meshNetworks: 'networks: {}' +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istio + namespace: istio-system +--- +apiVersion: v1 +data: + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + defaultTemplates: [sidecar] + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + injectedAnnotations: + template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" + templates: + sidecar: | + {{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + {{- end }} + {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + {{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} + {{- end }} + } + spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ .ProxyUID | default "1337" | quote }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsUser: {{ .ProxyUID | default "1337" }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + grpc-simple: | + metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} + grpc-agent: | + {{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + {{- end }} + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + waypoint: | + apiVersion: v1 + kind: ServiceAccount + metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + --- + apiVersion: v1 + kind: Service + metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} + --- + kube-gateway: | + apiVersion: v1 + kind: ServiceAccount + metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} + --- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" + spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + --- + apiVersion: v1 + kind: Service + metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} + spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} + --- + values: |- + { + "gateways": { + "seccompProfile": { + "type": "RuntimeDefault" + }, + "securityContext": {} + }, + "global": { + "caAddress": "", + "caName": "", + "certSigners": [], + "configCluster": false, + "configValidation": true, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "externalIstiod": false, + "hub": "gcr.io/istio-testing", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false + }, + "network": "", + "omitSidecarInjectorConfigMap": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "image": "proxyv2", + "includeIPRanges": "*", + "includeInboundPorts": "*", + "includeOutboundPorts": "", + "logLevel": "warning", + "outlierLogPath": "", + "privileged": false, + "readinessFailureThreshold": 4, + "readinessInitialDelaySeconds": 0, + "readinessPeriodSeconds": 15, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "startupProbe": { + "enabled": true, + "failureThreshold": 600 + }, + "statusPort": 15020, + "tracer": "none" + }, + "proxy_init": { + "forceApplyIptables": false, + "image": "proxyv2" + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "1.24.2", + "variant": "", + "waypoint": { + "affinity": {}, + "nodeSelector": {}, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "topologySpreadConstraints": [] + } + }, + "pilot": { + "cni": { + "enabled": false, + "provider": "default" + } + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "defaultTemplates": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "reinvocationPolicy": "Never", + "rewriteAppHTTPProbe": true, + "templates": {} + } + } +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istio-sidecar-injector + namespace: istio-system +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app: sidecar-injector + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istio-sidecar-injector +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + failurePolicy: Fail + name: rev.namespace.sidecar-injector.istio.io + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + failurePolicy: Fail + name: rev.object.sidecar-injector.istio.io + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + - key: istio.io/rev + operator: In + values: + - default + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + failurePolicy: Fail + name: namespace.sidecar-injector.istio.io + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - 'false' + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + failurePolicy: Fail + name: object.sidecar-injector.istio.io + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - 'true' + - key: istio.io/rev + operator: DoesNotExist + reinvocationPolicy: Never + rules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: pilot + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istiod + namespace: istio-system +spec: + selector: + matchLabels: + istio: pilot + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + prometheus.io/port: '15014' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: pilot + istio.io/dataplane-mode: none + istio.io/rev: default + operator.istio.io/component: Pilot + sidecar.istio.io/inject: 'false' + spec: + containers: + - args: + - discovery + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --keepaliveMaxServerConnectionAge + - 30m + env: + - name: REVISION + value: default + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: CA_TRUSTED_NODE_ACCOUNTS + value: istio-system/ztunnel + - name: PILOT_TRACE_SAMPLING + value: '1' + - name: PILOT_ENABLE_ANALYSIS + value: 'false' + - name: CLUSTER_ID + value: Kubernetes + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: '1' + resource: limits.cpu + - name: PLATFORM + value: '' + image: gcr.io/istio-testing/pilot:1.24.2 + name: discovery + ports: + - containerPort: 8080 + name: http-debug + protocol: TCP + - containerPort: 15010 + name: grpc-xds + protocol: TCP + - containerPort: 15012 + name: tls-xds + protocol: TCP + - containerPort: 15017 + name: https-webhooks + protocol: TCP + - containerPort: 15014 + name: http-monitoring + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + resources: + requests: + cpu: 500m + memory: 2048Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/run/secrets/istio-dns + name: local-certs + - mountPath: /etc/cacerts + name: cacerts + readOnly: true + - mountPath: /var/run/secrets/remote + name: istio-kubeconfig + readOnly: true + - mountPath: /var/run/secrets/istiod/tls + name: istio-csr-dns-cert + readOnly: true + - mountPath: /var/run/secrets/istiod/ca + name: istio-csr-ca-configmap + readOnly: true + serviceAccountName: istiod + tolerations: + - key: cni.istio.io/not-ready + operator: Exists + volumes: + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: cacerts + secret: + optional: true + secretName: cacerts + - name: istio-kubeconfig + secret: + optional: true + secretName: istio-kubeconfig + - name: istio-csr-dns-cert + secret: + optional: true + secretName: istiod-tls + - configMap: + defaultMode: 420 + name: istio-ca-root-cert + optional: true + name: istio-csr-ca-configmap +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: pilot + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istiod + namespace: istio-system +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + istio: pilot +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istiod + namespace: istio-system +rules: +- apiGroups: + - networking.istio.io + resources: + - gateways + verbs: + - create +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - get + - watch + - list + - update + - delete +- apiGroups: + - '' + resources: + - configmaps + verbs: + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - update + - patch + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + release: istio + name: istiod + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod +subjects: +- kind: ServiceAccount + name: istiod + namespace: istio-system +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istiod + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: pilot + istio.io/rev: default + operator.istio.io/component: Pilot + release: istio + name: istiod + namespace: istio-system +spec: + ports: + - name: grpc-xds + port: 15010 + protocol: TCP + - name: https-dns + port: 15012 + protocol: TCP + - name: https-webhook + port: 443 + protocol: TCP + targetPort: 15017 + - name: http-monitoring + port: 15014 + protocol: TCP + selector: + app: istiod + istio: pilot diff --git a/common/istio-1-24/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml new file mode 100644 index 0000000000..37d6f0b36e --- /dev/null +++ b/common/istio-1-24/istio-install/base/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: istio-system + +resources: +- install.yaml +- gateway_authorizationpolicy.yaml +- deny_all_authorizationpolicy.yaml +- gateway.yaml + +patches: +- path: patches/service.yaml +- path: patches/istio-configmap-disable-tracing.yaml +- path: patches/disable-debugging.yaml +- path: patches/istio-ingressgateway-remove-pdb.yaml +- path: patches/istiod-remove-pdb.yaml +- path: patches/seccomp-istio-ingressgateway.yaml +- path: patches/seccomp-istiod.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-24/istio-install/base/patches/disable-debugging.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml rename to common/istio-1-24/istio-install/base/patches/disable-debugging.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml rename to common/istio-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-1-24/istio-install/base/patches/istiod-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml rename to common/istio-1-24/istio-install/base/patches/istiod-remove-pdb.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml rename to common/istio-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-1-24/istio-install/base/patches/seccomp-istiod.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml rename to common/istio-1-24/istio-install/base/patches/seccomp-istiod.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/service.yaml b/common/istio-1-24/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/service.yaml rename to common/istio-1-24/istio-install/base/patches/service.yaml diff --git a/common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml rename to common/istio-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/istio-1-24/istio-namespace/base/kustomization.yaml b/common/istio-1-24/istio-namespace/base/kustomization.yaml new file mode 100644 index 0000000000..6e0028159b --- /dev/null +++ b/common/istio-1-24/istio-namespace/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- namespace.yaml +namespace: istio-system diff --git a/common/istio-cni-1-23/istio-namespace/base/namespace.yaml b/common/istio-1-24/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-cni-1-23/istio-namespace/base/namespace.yaml rename to common/istio-1-24/istio-namespace/base/namespace.yaml diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-24/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-1-24/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-24/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-1-24/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-cni-1-23/profile-overlay.yaml b/common/istio-1-24/profile-overlay.yaml similarity index 95% rename from common/istio-cni-1-23/profile-overlay.yaml rename to common/istio-1-24/profile-overlay.yaml index 1ab0a58576..e36480d757 100644 --- a/common/istio-cni-1-23/profile-overlay.yaml +++ b/common/istio-1-24/profile-overlay.yaml @@ -54,3 +54,7 @@ spec: egressGateways: - enabled: false name: istio-egressgateway + values: + gateways: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-1-24/profile.yaml b/common/istio-1-24/profile.yaml new file mode 100644 index 0000000000..7150d6bf26 --- /dev/null +++ b/common/istio-1-24/profile.yaml @@ -0,0 +1,32 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + hub: gcr.io/istio-testing + tag: 1.24.2 + + # Turn on default components: base, pilot, and ingress gateway + components: + base: + enabled: true + pilot: + enabled: true + # Istio Gateway feature + ingressGateways: + - name: istio-ingressgateway + enabled: true + egressGateways: + - name: istio-egressgateway + enabled: false + + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + gateways: + istio-ingressgateway: {} + istio-egressgateway: {} diff --git a/common/istio-cni-1-23/split-istio-packages b/common/istio-1-24/split-istio-packages similarity index 100% rename from common/istio-cni-1-23/split-istio-packages rename to common/istio-1-24/split-istio-packages diff --git a/common/istio-cni-1-23/profile.yaml b/common/istio-cni-1-23/profile.yaml deleted file mode 100644 index 077b0c86d2..0000000000 --- a/common/istio-cni-1-23/profile.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -spec: - components: - base: - enabled: true - egressGateways: - - enabled: false - name: istio-egressgateway - ingressGateways: - - enabled: true - name: istio-ingressgateway - pilot: - enabled: true - hub: docker.io/istio - profile: default - tag: 1.23.2 - values: - defaultRevision: "" - gateways: - istio-egressgateway: {} - istio-ingressgateway: {} - global: - configValidation: true - istioNamespace: istio-system - diff --git a/common/istio-cni-1-23/README.md b/common/istio-cni-1-24/README.md similarity index 100% rename from common/istio-cni-1-23/README.md rename to common/istio-cni-1-24/README.md diff --git a/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml new file mode 100644 index 0000000000..174f22965d --- /dev/null +++ b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -0,0 +1,390 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-service-account + namespace: istio-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system +spec: + selector: + matchLabels: + app: cluster-local-gateway + istio: cluster-local-gateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + istio.io/rev: default + prometheus.io/path: /stats/prometheus + prometheus.io/port: '15020' + prometheus.io/scrape: 'true' + sidecar.istio.io/inject: 'false' + labels: + app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + chart: gateways + helm.sh/chart: istio-ingress-1.24.2 + heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + service.istio.io/canonical-name: cluster-local-gateway + service.istio.io/canonical-revision: latest + sidecar.istio.io/inject: 'false' + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + requiredDuringSchedulingIgnoredDuringExecution: + containers: + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: cluster-local-gateway + - name: ISTIO_META_OWNER + value: + kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: 'true' + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: gcr.io/istio-testing/proxyv2:1.24.2 + name: istio-proxy + ports: + - containerPort: 15020 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + securityContext: + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: cluster-local-gateway-service-account + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system +spec: + minAvailable: 1 + selector: + matchLabels: + app: cluster-local-gateway + istio: cluster-local-gateway +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-sds + namespace: istio-system +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway-sds + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cluster-local-gateway-sds +subjects: +- kind: ServiceAccount + name: cluster-local-gateway-service-account +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: cluster-local-gateway +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + labels: + app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 + install.operator.istio.io/owning-resource: unknown + istio: cluster-local-gateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: cluster-local-gateway + namespace: istio-system +spec: + ports: + - name: status-port + port: 15020 + targetPort: 15020 + - name: http2 + port: 80 + targetPort: 8080 + selector: + app: cluster-local-gateway + istio: cluster-local-gateway + type: ClusterIP diff --git a/common/istio-cni-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml new file mode 100644 index 0000000000..4a45b0a1e0 --- /dev/null +++ b/common/istio-cni-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml @@ -0,0 +1,14 @@ +# Allow all traffic to the cluster-local-gateway +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: cluster-local-gateway +spec: + action: ALLOW + selector: + # Same as the cluster-local-gateway Service selector + matchLabels: + app: cluster-local-gateway + istio: cluster-local-gateway + rules: + - {} \ No newline at end of file diff --git a/common/istio-cni-1-24/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/gateway.yaml new file mode 100644 index 0000000000..a5db160087 --- /dev/null +++ b/common/istio-cni-1-24/cluster-local-gateway/base/gateway.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: cluster-local-gateway + labels: + release: istio +spec: + selector: + app: cluster-local-gateway + istio: cluster-local-gateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - '*' diff --git a/common/istio-cni-1-24/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/kustomization.yaml new file mode 100644 index 0000000000..3f63154ee9 --- /dev/null +++ b/common/istio-cni-1-24/cluster-local-gateway/base/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: istio-system + +resources: +- cluster-local-gateway.yaml +- gateway-authorizationpolicy.yaml +- gateway.yaml + +patches: +- path: patches/remove-pdb.yaml diff --git a/common/istio-cni-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml new file mode 100644 index 0000000000..7453e086c5 --- /dev/null +++ b/common/istio-cni-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: cluster-local-gateway + namespace: istio-system \ No newline at end of file diff --git a/common/istio-cni-1-24/istio-crds/base/crd.yaml b/common/istio-cni-1-24/istio-crds/base/crd.yaml new file mode 100644 index 0000000000..f194ef7520 --- /dev/null +++ b/common/istio-cni-1-24/istio-crds/base/crd.yaml @@ -0,0 +1,17082 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + shortNames: + - ap + singular: authorizationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this + filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which + traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by + a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format + (RE2) that can be used to select proxies using a specific + version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name + for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server + port number for which this route configuration was + generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route + configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated + by Istio are named as host:port, where the host + typically corresponds to the VirtualService's + host field or the hostname of a service in the + registry. + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by + default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + minimum: 0 + nullable: true + type: integer + environmentVariables: + additionalProperties: + maxLength: 2048 + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" + - message: value must not be set when operation is REMOVE + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" + - message: value must not be set when operation is REMOVE + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + failStrategy: + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string + imagePullPolicy: + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + maximum: 65535 + minimum: 1 + type: integer + required: + - number + type: object + type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map + type: object + type: array + phase: + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 + nullable: true + type: integer + selector: + description: Criteria used to select the specific set of pods/VMs + on which this plugin configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 + type: array + type: + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK + type: string + url: + description: URL of a Wasm module or OCI container. + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https', + 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme() + in ['', 'http', 'https', 'oci', 'file'])" + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 + type: string + value: + description: Value for the environment variable. + maxLength: 2048 + type: string + valueFrom: + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST + enum: + - INLINE + - HOST + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST' + || !has(self.value)" + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - url + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/common/istio-cni-1-24/istio-crds/base/kustomization.yaml b/common/istio-cni-1-24/istio-crds/base/kustomization.yaml new file mode 100644 index 0000000000..3dd2d3cace --- /dev/null +++ b/common/istio-cni-1-24/istio-crds/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml +namespace: istio-system diff --git a/common/istio-cni-1-24/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-24/istio-install/base/deny_all_authorizationpolicy.yaml new file mode 100644 index 0000000000..390f153d38 --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/deny_all_authorizationpolicy.yaml @@ -0,0 +1,9 @@ +# Enforce an explicit deny-by-default authorization model, similar to +# the deprecated Istio RBAC +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: global-deny-all + namespace: istio-system +spec: + {} diff --git a/common/istio-cni-1-24/istio-install/base/gateway.yaml b/common/istio-cni-1-24/istio-install/base/gateway.yaml new file mode 100644 index 0000000000..28ae654e1b --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/gateway.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-ingressgateway + labels: + release: istio +spec: + selector: + app: istio-ingressgateway + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - '*' diff --git a/common/istio-cni-1-24/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-24/istio-install/base/gateway_authorizationpolicy.yaml new file mode 100644 index 0000000000..e315e37241 --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/gateway_authorizationpolicy.yaml @@ -0,0 +1,15 @@ +# Allow all traffic to the istio-ingressgateway +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + action: ALLOW + selector: + # Same as the istio-ingressgateway Service selector + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + rules: + - {} diff --git a/common/istio-cni-1-23/istio-install/base/install.yaml b/common/istio-cni-1-24/istio-install/base/install.yaml similarity index 89% rename from common/istio-cni-1-23/istio-install/base/install.yaml rename to common/istio-cni-1-24/istio-install/base/install.yaml index 7d8c7688c3..f24ddd46cf 100644 --- a/common/istio-cni-1-23/istio-install/base/install.yaml +++ b/common/istio-cni-1-24/istio-install/base/install.yaml @@ -3,6 +3,12 @@ kind: ServiceAccount metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -12,22 +18,15 @@ metadata: --- apiVersion: v1 kind: ServiceAccount -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-service-account - namespace: istio-system ---- -apiVersion: v1 -kind: ServiceAccount metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 release: istio name: istio-reader-service-account namespace: istio-system @@ -37,6 +36,12 @@ kind: ServiceAccount metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -46,6 +51,12 @@ kind: ClusterRole metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -68,6 +79,12 @@ kind: ClusterRole metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -95,6 +112,12 @@ kind: ClusterRole metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istio-reader-clusterrole-istio-system rules: @@ -203,6 +226,12 @@ kind: ClusterRole metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-clusterrole-istio-system rules: @@ -255,6 +284,7 @@ rules: - networking.istio.io resources: - workloadentries/status + - serviceentries/status verbs: - get - watch @@ -264,15 +294,29 @@ rules: - create - delete - apiGroups: - - networking.istio.io + - security.istio.io resources: - - serviceentries/status + - authorizationpolicies/status verbs: - get - watch - list - update - patch + - create + - delete +- apiGroups: + - '' + resources: + - services/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete - apiGroups: - apiextensions.k8s.io resources: @@ -339,7 +383,6 @@ rules: verbs: - create - apiGroups: - - networking.x-k8s.io - gateway.networking.k8s.io resources: - '*' @@ -348,10 +391,17 @@ rules: - watch - list - apiGroups: - - networking.x-k8s.io - gateway.networking.k8s.io resources: - - '*' + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status verbs: - update - patch @@ -396,6 +446,12 @@ kind: ClusterRole metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-gateway-controller-istio-system rules: @@ -441,6 +497,12 @@ kind: ClusterRoleBinding metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -459,6 +521,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default k8s-app: istio-cni-repair @@ -479,6 +547,12 @@ kind: ClusterRoleBinding metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istio-reader-clusterrole-istio-system roleRef: @@ -495,6 +569,12 @@ kind: ClusterRoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-clusterrole-istio-system roleRef: @@ -511,6 +591,12 @@ kind: ClusterRoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-gateway-controller-istio-system roleRef: @@ -527,6 +613,12 @@ kind: ValidatingWebhookConfiguration metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 istio: istiod istio.io/rev: default release: istio @@ -581,6 +673,12 @@ data: kind: ConfigMap metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -594,8 +692,7 @@ data: AMBIENT_ENABLED: 'false' AMBIENT_IPV6: 'true' CHAINED_CNI_PLUGIN: 'true' - CNI_NET_DIR: /etc/cni/net.d - CURRENT_AGENT_VERSION: 1.23.2 + CURRENT_AGENT_VERSION: 1.24.2 EXCLUDED_NAMESPACES: kube-system REPAIR_BROKEN_POD_LABEL_KEY: cni.istio.io/uninitialized REPAIR_BROKEN_POD_LABEL_VALUE: 'true' @@ -608,6 +705,12 @@ kind: ConfigMap metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -655,7 +758,7 @@ data: {{- end }} {{- end }} {{- end }} - {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} + {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: @@ -676,8 +779,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} - {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} + {{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -701,7 +804,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -753,9 +856,11 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} @@ -771,14 +876,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -790,34 +895,6 @@ data: runAsNonRoot: true {{- end }} {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} {{ if not $nativeSidecar }} containers: {{ end }} @@ -1013,7 +1090,7 @@ data: drop: - ALL privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 @@ -1032,7 +1109,7 @@ data: drop: - ALL privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false @@ -1061,10 +1138,6 @@ data: - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} @@ -1140,11 +1213,6 @@ data: configMap: name: istio-ca-root-cert {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs @@ -1815,7 +1883,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 @@ -1838,7 +1905,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 4 }} ownerReferences: @@ -1872,15 +1938,33 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 8}} spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -1987,13 +2071,10 @@ data: - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} + {{- if .Values.global.waypoint.resources }} resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} startupProbe: failureThreshold: 30 httpGet: @@ -2016,8 +2097,10 @@ data: timeoutSeconds: 1 securityContext: privileged: false + {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 + {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true @@ -2029,8 +2112,8 @@ data: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data @@ -2084,13 +2167,19 @@ data: kind: Service metadata: annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} @@ -2128,7 +2217,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 @@ -2151,7 +2239,7 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 @@ -2183,7 +2271,7 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: @@ -2222,6 +2310,9 @@ data: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -2435,7 +2526,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} @@ -2445,6 +2535,7 @@ data: name: {{.Name}} uid: {{.UID}} spec: + ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} @@ -2462,11 +2553,12 @@ data: values: |- { "gateways": { - "seccompProfile": {}, + "seccompProfile": { + "type": "RuntimeDefault" + }, "securityContext": {} }, "global": { - "autoscalingv2API": true, "caAddress": "", "caName": "", "certSigners": [], @@ -2480,9 +2572,8 @@ data: "cpu": "10m" } }, - "enabled": true, "externalIstiod": false, - "hub": "docker.io/istio", + "hub": "gcr.io/istio-testing", "imagePullPolicy": "", "imagePullSecrets": [], "istioNamespace": "istio-system", @@ -2500,7 +2591,6 @@ data: "clusterName": "", "enabled": false }, - "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, @@ -2510,7 +2600,6 @@ data: "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", - "enableCoreDump": false, "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", @@ -2542,6 +2631,7 @@ data: "tracer": "none" }, "proxy_init": { + "forceApplyIptables": false, "image": "proxyv2" }, "remotePilotAddress": "", @@ -2553,17 +2643,28 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.23.2", - "variant": "" - }, - "istio_cni": { - "chained": true, - "enabled": true, - "provider": "default" + "tag": "1.24.2", + "variant": "", + "waypoint": { + "affinity": {}, + "nodeSelector": {}, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "topologySpreadConstraints": [] + } }, "pilot": { "cni": { - "enabled": false, + "enabled": true, "provider": "default" } }, @@ -2582,6 +2683,12 @@ data: kind: ConfigMap metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -2594,6 +2701,12 @@ kind: MutatingWebhookConfiguration metadata: labels: app: sidecar-injector + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -2745,6 +2858,12 @@ apiVersion: apps/v1 kind: DaemonSet metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default k8s-app: istio-cni-node @@ -2759,11 +2878,18 @@ spec: template: metadata: annotations: + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined prometheus.io/path: /metrics prometheus.io/port: '15014' prometheus.io/scrape: 'true' sidecar.istio.io/inject: 'false' labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 istio.io/dataplane-mode: none k8s-app: istio-cni-node sidecar.istio.io/inject: 'false' @@ -2806,8 +2932,12 @@ spec: envFrom: - configMapRef: name: istio-cni-config - image: docker.io/istio/install-cni:1.23.2 + image: gcr.io/istio-testing/install-cni:1.24.2 name: install-cni + ports: + - containerPort: 15014 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -2821,10 +2951,12 @@ spec: add: - NET_ADMIN - NET_RAW + - SYS_PTRACE - SYS_ADMIN + - DAC_OVERRIDE drop: - ALL - privileged: true + privileged: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 @@ -2875,228 +3007,15 @@ spec: --- apiVersion: apps/v1 kind: Deployment -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - istio.io/rev: default - prometheus.io/path: /stats/prometheus - prometheus.io/port: '15020' - prometheus.io/scrape: 'true' - sidecar.istio.io/inject: 'false' - labels: - app: istio-ingressgateway - chart: gateways - heritage: Tiller - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - service.istio.io/canonical-name: istio-ingressgateway - service.istio.io/canonical-revision: latest - sidecar.istio.io/inject: 'false' - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - requiredDuringSchedulingIgnoredDuringExecution: - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: 'true' - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.23.2 - name: istio-proxy - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - securityContext: - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - serviceAccountName: istio-ingressgateway-service-account - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs ---- -apiVersion: apps/v1 -kind: Deployment metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default @@ -3120,6 +3039,12 @@ spec: sidecar.istio.io/inject: 'false' labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/dataplane-mode: none @@ -3173,17 +3098,27 @@ spec: - name: GOMAXPROCS valueFrom: resourceFieldRef: + divisor: '1' resource: limits.cpu - name: PLATFORM value: '' - image: docker.io/istio/pilot:1.23.2 + image: gcr.io/istio-testing/pilot:1.24.2 name: discovery ports: - containerPort: 8080 + name: http-debug protocol: TCP - containerPort: 15010 + name: grpc-xds + protocol: TCP + - containerPort: 15012 + name: tls-xds protocol: TCP - containerPort: 15017 + name: https-webhooks + protocol: TCP + - containerPort: 15014 + name: http-monitoring protocol: TCP readinessProbe: httpGet: @@ -3256,28 +3191,15 @@ spec: --- apiVersion: policy/v1 kind: PodDisruptionBudget -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default @@ -3294,29 +3216,15 @@ spec: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role -metadata: - labels: - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - watch - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -3356,27 +3264,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - labels: - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-ingressgateway-sds -subjects: -- kind: ServiceAccount - name: istio-ingressgateway-service-account ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -3391,36 +3287,15 @@ subjects: --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - averageUtilization: 80 - type: Utilization - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -3444,41 +3319,15 @@ spec: --- apiVersion: v1 kind: Service -metadata: - annotations: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: istio-ingressgateway - istio: ingressgateway - type: LoadBalancer ---- -apiVersion: v1 -kind: Service metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default diff --git a/common/istio-cni-1-23/istio-install/base/kustomization.yaml b/common/istio-cni-1-24/istio-install/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/kustomization.yaml rename to common/istio-cni-1-24/istio-install/base/kustomization.yaml diff --git a/common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml new file mode 100644 index 0000000000..038430d7fb --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml @@ -0,0 +1,18 @@ +# Penetration test enahncement: check port 15010 & 8080 in istiod: According to https://istio.io/latest/docs/ops/best-practices/security/#control-plane port 15010 +# is not that problematic (only resource discovery). Other parts of the documentation also say| 15010 | GRPC | XDS and CA services (Plaintext, only for secure networks) | +# We have a secure network layer and only XDS is served. +# Port 8080 is not listed in the service and even if it would be somehow reachable by IP it only "offers read access". +# Nevertheless we set ENABLE_DEBUG_ON_HTTP=false do disable it entirely. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system +spec: + template: + spec: + containers: + - name: discovery + env: + - name: ENABLE_DEBUG_ON_HTTP + value: 'false' diff --git a/common/istio-cni-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml new file mode 100644 index 0000000000..4db376d17e --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system +data: + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + mesh: |- + accessLogFile: /dev/stdout + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + proxyMetadata: {} + tracing: {} + enablePrometheusMerge: true + rootNamespace: istio-system + tcpKeepalive: + interval: 5s + probes: 3 + time: 10s + trustDomain: cluster.local diff --git a/common/istio-cni-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml new file mode 100644 index 0000000000..f40567eb95 --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istio-ingressgateway + namespace: istio-system diff --git a/common/istio-cni-1-24/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-24/istio-install/base/patches/istiod-remove-pdb.yaml new file mode 100644 index 0000000000..3de371b704 --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/patches/istiod-remove-pdb.yaml @@ -0,0 +1,6 @@ +$patch: delete +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod + namespace: istio-system diff --git a/common/istio-cni-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml new file mode 100644 index 0000000000..f8825a0263 --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml @@ -0,0 +1,16 @@ +# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. +# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must +# This is done to enable 'restricted' level security standards for the pods. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + template: + spec: + containers: + - name: istio-proxy + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-cni-1-24/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istiod.yaml new file mode 100644 index 0000000000..3174889f85 --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istiod.yaml @@ -0,0 +1,16 @@ +# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. +# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must +# This is done to enable 'restricted' level security standards for the pods. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system +spec: + template: + spec: + containers: + - name: discovery + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-cni-1-24/istio-install/base/patches/service.yaml b/common/istio-cni-1-24/istio-install/base/patches/service.yaml new file mode 100644 index 0000000000..5d2faff985 --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/patches/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + type: ClusterIP diff --git a/common/istio-cni-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml new file mode 100644 index 0000000000..4f9b7365be --- /dev/null +++ b/common/istio-cni-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base + +components: +- ../../../../oauth2-proxy/components/istio-external-auth-patches diff --git a/common/istio-cni-1-23/istio-namespace/base/kustomization.yaml b/common/istio-cni-1-24/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-namespace/base/kustomization.yaml rename to common/istio-cni-1-24/istio-namespace/base/kustomization.yaml diff --git a/common/istio-cni-1-24/istio-namespace/base/namespace.yaml b/common/istio-cni-1-24/istio-namespace/base/namespace.yaml new file mode 100644 index 0000000000..355352bbb2 --- /dev/null +++ b/common/istio-cni-1-24/istio-namespace/base/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-operator-managed: Reconcile + istio-injection: disabled diff --git a/common/istio-cni-1-24/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/cluster-roles.yaml new file mode 100644 index 0000000000..d60d4e9cd2 --- /dev/null +++ b/common/istio-cni-1-24/kubeflow-istio-resources/base/cluster-roles.yaml @@ -0,0 +1,55 @@ +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: +- apiGroups: + - istio.io + - networking.istio.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - istio.io + - networking.istio.io + resources: ["*"] + verbs: + - get + - list + - watch diff --git a/common/istio-cni-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml new file mode 100644 index 0000000000..720ff97dd3 --- /dev/null +++ b/common/istio-cni-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kubeflow-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" diff --git a/common/istio-cni-1-24/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/kustomization.yaml new file mode 100644 index 0000000000..75669a18a5 --- /dev/null +++ b/common/istio-cni-1-24/kubeflow-istio-resources/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- kf-istio-resources.yaml +- cluster-roles.yaml +namespace: kubeflow diff --git a/common/istio-cni-1-24/profile-overlay.yaml b/common/istio-cni-1-24/profile-overlay.yaml new file mode 100644 index 0000000000..e36480d757 --- /dev/null +++ b/common/istio-cni-1-24/profile-overlay.yaml @@ -0,0 +1,60 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + tcpKeepalive: + time: 10s + interval: 5s + probes: 3 + components: + ingressGateways: + # Cluster-local gateway for KFServing + - enabled: true + name: cluster-local-gateway + # https://github.com/istio/istio/issues/19263#issuecomment-615833092 + label: + app: cluster-local-gateway + istio: cluster-local-gateway + k8s: + env: + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + hpaSpec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: cluster-local-gateway + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + service: + type: ClusterIP + ports: + - name: status-port + port: 15020 + targetPort: 15020 + - name: http2 + port: 80 + targetPort: 8080 + + # Disable EgressGateway + egressGateways: + - enabled: false + name: istio-egressgateway + values: + gateways: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-cni-1-24/profile.yaml b/common/istio-cni-1-24/profile.yaml new file mode 100644 index 0000000000..7150d6bf26 --- /dev/null +++ b/common/istio-cni-1-24/profile.yaml @@ -0,0 +1,32 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + hub: gcr.io/istio-testing + tag: 1.24.2 + + # Turn on default components: base, pilot, and ingress gateway + components: + base: + enabled: true + pilot: + enabled: true + # Istio Gateway feature + ingressGateways: + - name: istio-ingressgateway + enabled: true + egressGateways: + - name: istio-egressgateway + enabled: false + + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + gateways: + istio-ingressgateway: {} + istio-egressgateway: {} diff --git a/common/istio-cni-1-24/split-istio-packages b/common/istio-cni-1-24/split-istio-packages new file mode 100755 index 0000000000..bc119aeea5 --- /dev/null +++ b/common/istio-cni-1-24/split-istio-packages @@ -0,0 +1,72 @@ +#!/usr/bin/env python3 + +import sys +import argparse +import ruamel.yaml + + +DESCRIPTION = """ Separate Istio YAML into separate components. + +Separate Istio YAML definitions into four separate components: crds, install +and cluster-local-gateway. +""" + + +class YAMLEmitterNoVersionDirective(ruamel.yaml.emitter.Emitter): + """YAML Emitter that doesn't emit the YAML version directive.""" + + def write_version_directive(self, version_text): + """Disable emitting version directive, i.e., %YAML 1.1.""" + pass + + +class YAML(ruamel.yaml.YAML): + """Wrapper of the ruamel.yaml.YAML class with our custom settings.""" + + def __init__(self, *args, **kwargs): + super(YAML, self).__init__(*args, **kwargs) + # XXX: Explicitly set version for producing K8s compatible manifests. + # https://yaml.readthedocs.io/en/latest/detail.html#document-version-support + self.version = (1, 1) + # XXX: Do not emit version directive since tools might fail to + # parse manifests. + self.Emitter = YAMLEmitterNoVersionDirective + + +yaml = YAML() + + +def parse_args(): + parser = argparse.ArgumentParser( + description=DESCRIPTION, + formatter_class=argparse.ArgumentDefaultsHelpFormatter) + parser.add_argument("-f", "--manifest-file", type=str, required=True, + dest="manifest_file", + help="Istio YAML, generated by istioctl.") + return parser.parse_args() + + +def main(): + args = parse_args() + with open(args.manifest_file, "r") as f: + objects = [obj for obj in list(yaml.load_all(f)) if obj] + crds, install, cluster_local = [], [], [] + for obj in objects: + if obj.get("kind") == "CustomResourceDefinition": + crds.append(obj) + elif (obj.get("metadata", {}).get("name", ""). + startswith("cluster-local-gateway")): + cluster_local.append(obj) + else: + install.append(obj) + + with open("crd.yaml", "w") as f: + yaml.dump_all(crds, f) + with open("install.yaml", "w") as f: + yaml.dump_all(install, f) + with open("cluster-local-gateway.yaml", "w") as f: + yaml.dump_all(cluster_local, f) + + +if __name__ == "__main__": + sys.exit(main())