diff --git a/README.md b/README.md index 00a2402..b2d0ea5 100644 --- a/README.md +++ b/README.md @@ -167,7 +167,7 @@ openssl x509 -req -in "${DOMAIN}".csr -CA homelab-ca.crt -CAkey homelab-ca.key - ~170W -Monthly, the homelab costs (((170W * 24h) / 1000) * £0.33/kWh * 365days) / 12months = £40.95 (~47$). +Monthly, the homelab costs (((170W * 24h) / 1000) * £0.21/kWh * 365days) / 12months = £26 (~35$). # Deployment diff --git a/kubernetes/calico/helm-values.yaml b/kubernetes/calico/helm-values.yaml new file mode 100644 index 0000000..acd395e --- /dev/null +++ b/kubernetes/calico/helm-values.yaml @@ -0,0 +1,15 @@ +--- +apiServer: + enabled: false +goldmane: + enabled: false +whisker: + enabled: false +resources: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 10m + memory: 32Mi +... diff --git a/kubernetes/httpd-healthcheck/healthcheck-deployment.yml b/kubernetes/httpd-healthcheck/healthcheck-deployment.yml index fa83ba3..7317a8a 100644 --- a/kubernetes/httpd-healthcheck/healthcheck-deployment.yml +++ b/kubernetes/httpd-healthcheck/healthcheck-deployment.yml @@ -1,12 +1,4 @@ --- -apiVersion: v1 -kind: Namespace -metadata: - name: httpd-healthcheck - labels: - app: httpd-healthcheck - istio-injection: enabled ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -52,3 +44,4 @@ spec: cpu: 10m restartPolicy: Always terminationGracePeriodSeconds: 60 +... diff --git a/kubernetes/httpd-healthcheck/healthcheck-gateway.yml b/kubernetes/httpd-healthcheck/healthcheck-gateway.yml index b0b2ff3..0fa4d96 100644 --- a/kubernetes/httpd-healthcheck/healthcheck-gateway.yml +++ b/kubernetes/httpd-healthcheck/healthcheck-gateway.yml @@ -16,3 +16,4 @@ spec: # Don't use a specific server name, or then we can't use NodePort services, due to # https://github.com/istio/istio/issues/12545 - "*" +... diff --git a/kubernetes/httpd-healthcheck/healthcheck-service.yml b/kubernetes/httpd-healthcheck/healthcheck-service.yml index 7a6c44c..43d2d21 100644 --- a/kubernetes/httpd-healthcheck/healthcheck-service.yml +++ b/kubernetes/httpd-healthcheck/healthcheck-service.yml @@ -31,3 +31,4 @@ spec: host: httpd-healthcheck-service port: number: 10001 +... diff --git a/kubernetes/istio/README.md b/kubernetes/istio/README.md deleted file mode 100644 index 9ca76d1..0000000 --- a/kubernetes/istio/README.md +++ /dev/null @@ -1,69 +0,0 @@ -[[Back to Index Page](../README.md)] - -# Istio - -See https://istio.io/latest/docs/concepts/what-is-istio/ - -## What's so great about Istio? - -Mutual TLS (mTLS). You can enforce mTLS such that only TLS traffic is accepted by all services in all Istio-injected namespaces. - -## Istio Generate a YAML Manifest - -Note that `istio-operator.yml` is an Istio operator YAML file. This is not a Kubernetes YAML file. If you attemt to apply it using `kubectl` it will fail, because it does not recognise it as a Kubernetes file. - -If you want to generate a YAML file that does exactly the same thing that you would be doing with `istioctl install` using the operator file, you need to run it through a processor: - -```bash -istioctl manifest generate -f ./istio-operator.yml --set values.global.jwtPolicy=first-party-jwt > ./istio-kubernetes.yml -``` - -The output is a Kubernetes YAML file that can be used with `kubectl apply`. Note that you can skip the `--set values` parameter if your cluster supports third party tokens. While AWS cloud provider, and possibly others, supports this feature (I use it myself), many local development tools and custom installations may not prior to Kubernetes 1.20. - -Use the following if your cluster supports third party tokens: - -```bash -istioctl manifest generate -f ./istio-operator.yml --set values.global.jwtPolicy=third-party-jwt > ./istio-kubernetes.yml -``` - -## Install Istio - -The Istio namespace must be created manually. - -```bash -kubectl create ns istio-system -``` - -The `kubectl apply` command may show transient errors due to resources not being available in the cluster in the correct order. If that happens, simply run the command again. - -```bash -kubectl apply -f ./istio-kubernetes.yml -``` - -Install httpd-healthcheck: - -```bash -kubectl apply -f ../httpd-healthcheck/ -``` - -Expected output: - -```bash -kubectl -n istio-system get svc -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -istio-ingressgateway LoadBalancer 10.99.133.23 10.11.1.52 10001:32104/TCP,443:30175/TCP,15021:30860/TCP 73m -istiod ClusterIP 10.103.218.247 15010/TCP,15012/TCP,443/TCP,15014/TCP 73m -kiali ClusterIP 10.109.213.166 20001/TCP,9090/TCP 36m -``` - -Note that I use MetalLB as a network load balancer implementation for my bare metal homelab cluster. - -## References - -https://istio.io/latest/docs/setup/install/istioctl/ - -https://istio.io/latest/docs/setup/additional-setup/config-profiles/ - -https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens - -https://github.com/istio/istio/releases \ No newline at end of file diff --git a/kubernetes/istio/helm-ingressgateway-values.yaml b/kubernetes/istio/helm-ingressgateway-values.yaml new file mode 100644 index 0000000..ba4d95f --- /dev/null +++ b/kubernetes/istio/helm-ingressgateway-values.yaml @@ -0,0 +1,43 @@ +--- +name: istio-ingressgateway +autoscaling: + minReplicas: 2 +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - istio-ingressgateway + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 +service: + type: LoadBalancer + ports: + # Whatever is listed as the first port in a Service of + # type LoadBalancer is picked to be the port used for + # health checks. 10001 is the port of httpd-healthcheck. + - name: httpd-healthcheck + port: 10001 + targetPort: 10001 + - name: http + port: 80 + targetPort: 8080 + - name: https + port: 443 + targetPort: 8443 + # Istio readiness port of gateways + - name: status-port + port: 15021 + targetPort: 15021 +... diff --git a/kubernetes/istio/helm-istiod-values.yaml b/kubernetes/istio/helm-istiod-values.yaml new file mode 100644 index 0000000..b7a1dc1 --- /dev/null +++ b/kubernetes/istio/helm-istiod-values.yaml @@ -0,0 +1,41 @@ +--- +pilot: + autoscalerEnabled: true + autoscaleMin: 2 + autoscaleMax: 5 + replicaCount: 2 + rollingMaxSurge: 50% + rollingMaxUnavailable: 1 + resources: + requests: + cpu: 150m + memory: 300Mi + limits: + cpu: 2000m + memory: 4096Mi +global: + defaultPodDisruptionBudget: + enabled: true + defaultResources: + requests: + cpu: 10m + istioNamespace: istio-system + proxy: + # applies to istio-proxy and istio-init containers + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 20m + memory: 64Mi + tracer: "zipkin" +telemetry: + enabled: true +meshConfig: + defaultConfig: + tracing: + sampling: 100 + zipkin: + address: jaeger-collector.istio-system:9411 +... diff --git a/kubernetes/istio/istio-kubernetes.yml b/kubernetes/istio/istio-kubernetes.yml deleted file mode 100644 index d429910..0000000 --- a/kubernetes/istio/istio-kubernetes.yml +++ /dev/null @@ -1,20541 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - shortNames: - - ap - singular: authorizationpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or selector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or selector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of - Service. - properties: - aggression: - description: This parameter controls the speed of - traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - `minHealthPercent` hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration - of Service. - properties: - aggression: - description: This parameter controls the speed - of traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least `minHealthPercent` hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of Service. - properties: - aggression: - description: This parameter controls the speed of traffic - increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least `minHealthPercent` - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of - Service. - properties: - aggression: - description: This parameter controls the speed of - traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - `minHealthPercent` hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - required: - - host - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of - Service. - properties: - aggression: - description: This parameter controls the speed of - traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - `minHealthPercent` hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration - of Service. - properties: - aggression: - description: This parameter controls the speed - of traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least `minHealthPercent` hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of Service. - properties: - aggression: - description: This parameter controls the speed of traffic - increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least `minHealthPercent` - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of - Service. - properties: - aggression: - description: This parameter controls the speed of - traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - `minHealthPercent` hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - required: - - host - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of - Service. - properties: - aggression: - description: This parameter controls the speed of - traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - `minHealthPercent` hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration - of Service. - properties: - aggression: - description: This parameter controls the speed - of traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least `minHealthPercent` hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of Service. - properties: - aggression: - description: This parameter controls the speed of traffic - increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least `minHealthPercent` - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: Enable locality load balancing. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmup: - description: Represents the warmup configuration of - Service. - properties: - aggression: - description: This parameter controls the speed of - traffic increase over the warmup duration. - format: double - minimum: 1 - nullable: true - type: number - duration: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - minimumPercent: - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - required: - - duration - type: object - warmupDurationSecs: - description: 'Deprecated: use `warmup` instead.' - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - `minHealthPercent` hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - required: - - host - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - description: |- - Specifies where in the Envoy configuration, the patch should be applied. - - Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - maximum: 4294967295 - minimum: 0 - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: |- - The specific config generation context to match on. - - Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - maximum: 4294967295 - minimum: 0 - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this - filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which - traffic is being sent/received. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by - a proxy when connecting to istiod. - type: object - proxyVersion: - description: A regular expression in golang regex format - (RE2) that can be used to select proxies using a specific - version of istio proxy. - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - description: The Istio gateway config's namespace/name - for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server - port number for which this route configuration was - generated. - maximum: 4294967295 - minimum: 0 - type: integer - vhost: - description: Match a specific virtual host in a route - configuration and apply the patch to the virtual host. - properties: - name: - description: The VirtualHosts objects generated - by Istio are named as host:port, where the host - typically corresponds to the VirtualService's - host field or the hostname of a service in the - registry. - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: |- - Match a route with specific action type. - - Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - description: The Route objects generated by - default are named as default. - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: |- - Determines the filter insertion order. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: |- - Determines how the patch should be applied. - - Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard is not supported in selector - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - maxProperties: 256 - type: object - type: object - type: object - x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set - rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - minProperties: 1 - type: object - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: self.all(key, 0 < int(key) && int(key) <= 65535) - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - type: object - x-kubernetes-validations: - - message: portLevelMtls requires selector - rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() - > 0) || !has(self.portLevelMtls) - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - minProperties: 1 - type: object - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: self.all(key, 0 < int(key) && int(key) <= 65535) - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - type: object - x-kubernetes-validations: - - message: portLevelMtls requires selector - rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() - > 0) || !has(self.portLevelMtls) - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - format: int32 - minimum: 0 - nullable: true - type: integer - environmentVariables: - additionalProperties: - maxLength: 2048 - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - minLength: 1 - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - minLength: 1 - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - minLength: 1 - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - minLength: 1 - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - minLength: 1 - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - minLength: 1 - type: string - header: - description: The name of the header to be created. - minLength: 1 - pattern: ^[-_A-Za-z0-9]+$ - type: string - required: - - header - - claim - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - required: - - issuer - type: object - x-kubernetes-validations: - - message: only one of jwks or jwksUri can be set - rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 - maxItems: 4096 - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or selector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - minLength: 1 - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - minLength: 1 - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - minLength: 1 - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - minLength: 1 - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - minLength: 1 - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - minLength: 1 - type: string - header: - description: The name of the header to be created. - minLength: 1 - pattern: ^[-_A-Za-z0-9]+$ - type: string - required: - - header - - claim - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - required: - - issuer - type: object - x-kubernetes-validations: - - message: only one of jwks or jwksUri can be set - rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 - maxItems: 4096 - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or selector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - maxLength: 64 - type: string - maxItems: 256 - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) - == ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - maxItems: 4096 - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - x-kubernetes-validations: - - message: hostname cannot be wildcard - rule: self != '*' - maxItems: 256 - minItems: 1 - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - maxLength: 256 - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - protocol: - description: The protocol exposed on the port. - maxLength: 256 - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - required: - - number - - name - type: object - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: port number cannot be duplicated - rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard is not supported in selector - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - maxProperties: 256 - type: object - type: object - required: - - hosts - type: object - x-kubernetes-validations: - - message: only one of WorkloadSelector or Endpoints can be set - rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 - - message: CIDR addresses are allowed only for NONE/STATIC resolution - types - rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) - && (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution - != ''NONE''))' - - message: NONE mode cannot set endpoints - rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) - : true' - - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints - rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') - ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - maxLength: 64 - type: string - maxItems: 256 - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) - == ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - maxItems: 4096 - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - x-kubernetes-validations: - - message: hostname cannot be wildcard - rule: self != '*' - maxItems: 256 - minItems: 1 - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - maxLength: 256 - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - protocol: - description: The protocol exposed on the port. - maxLength: 256 - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - required: - - number - - name - type: object - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: port number cannot be duplicated - rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard is not supported in selector - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - maxProperties: 256 - type: object - type: object - required: - - hosts - type: object - x-kubernetes-validations: - - message: only one of WorkloadSelector or Endpoints can be set - rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 - - message: CIDR addresses are allowed only for NONE/STATIC resolution - types - rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) - && (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution - != ''NONE''))' - - message: NONE mode cannot set endpoints - rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) - : true' - - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints - rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') - ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - maxLength: 64 - type: string - maxItems: 256 - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) - == ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - maxItems: 4096 - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - x-kubernetes-validations: - - message: hostname cannot be wildcard - rule: self != '*' - maxItems: 256 - minItems: 1 - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - maxLength: 256 - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - protocol: - description: The protocol exposed on the port. - maxLength: 256 - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - required: - - number - - name - type: object - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: port number cannot be duplicated - rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard is not supported in selector - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - maxProperties: 256 - type: object - type: object - required: - - hosts - type: object - x-kubernetes-validations: - - message: only one of WorkloadSelector or Endpoints can be set - rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 - - message: CIDR addresses are allowed only for NONE/STATIC resolution - types - rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) - && (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution - != ''NONE''))' - - message: NONE mode cannot set endpoints - rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) - : true' - - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints - rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') - ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling - outbound traffic from the application. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard is not supported in selector - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - maxProperties: 256 - type: object - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling - outbound traffic from the application. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard is not supported in selector - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - maxProperties: 256 - type: object - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling - outbound traffic from the application. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard is not supported in selector - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - maxProperties: 256 - type: object - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or selector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or selector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - unmatchedPreflights: - description: |- - Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. - - Valid Options: FORWARD, IGNORE - enum: - - UNSPECIFIED - - FORWARD - - IGNORE - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - unmatchedPreflights: - description: |- - Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. - - Valid Options: FORWARD, IGNORE - enum: - - UNSPECIFIED - - FORWARD - - IGNORE - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - unmatchedPreflights: - description: |- - Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. - - Valid Options: FORWARD, IGNORE - enum: - - UNSPECIFIED - - FORWARD - - IGNORE - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - failStrategy: - description: |- - Specifies the failure behavior for the plugin due to fatal errors. - - Valid Options: FAIL_CLOSE, FAIL_OPEN - enum: - - FAIL_CLOSE - - FAIL_OPEN - type: string - imagePullPolicy: - description: |- - The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. - - Valid Options: IfNotPresent, Always - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - maxLength: 253 - minLength: 1 - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: |- - Criteria for selecting traffic by their direction. - - Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - maximum: 65535 - minimum: 1 - type: integer - required: - - number - type: object - type: array - x-kubernetes-list-map-keys: - - number - x-kubernetes-list-type: map - type: object - type: array - phase: - description: |- - Determines where in the filter chain this `WasmPlugin` is to be injected. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - description: The plugin name to be used in the Envoy configuration - (used to be called `rootID`). - maxLength: 256 - minLength: 1 - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - format: int32 - nullable: true - type: integer - selector: - description: Criteria used to select the specific set of pods/VMs - on which this plugin configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - pattern: (^$|^[a-f0-9]{64}$) - type: string - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - maxItems: 16 - type: array - type: - description: |- - Specifies the type of Wasm Extension to be used. - - Valid Options: HTTP, NETWORK - enum: - - UNSPECIFIED_PLUGIN_TYPE - - HTTP - - NETWORK - type: string - url: - description: URL of a Wasm module or OCI container. - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have schema one of [http, https, file, oci] - rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', - ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && - url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', - ''oci'', ''file''])' - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - description: Name of the environment variable. - maxLength: 256 - minLength: 1 - type: string - value: - description: Value for the environment variable. - maxLength: 2048 - type: string - valueFrom: - description: |- - Source for the environment variable's value. - - Valid Options: INLINE, HOST - enum: - - INLINE - - HOST - type: string - required: - - name - type: object - x-kubernetes-validations: - - message: value may only be set when valueFrom is INLINE - rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' - || !has(self.value)' - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - url - type: object - x-kubernetes-validations: - - message: only one of targetRefs or selector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' - || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? - !has(self.ports) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' - || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? - !has(self.ports) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' - || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? - !has(self.ports) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - maxProperties: 256 - type: object - labels: - additionalProperties: - type: string - maxProperties: 256 - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - minLength: 1 - type: string - type: array - required: - - command - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - minimum: 0 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - pattern: ^[-_A-Za-z0-9]+$ - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - scheme: - type: string - x-kubernetes-validations: - - message: scheme must be one of [HTTP, HTTPS] - rule: self in ['', 'HTTP', 'HTTPS'] - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - minimum: 0 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - minimum: 0 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - minimum: 0 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - minimum: 0 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == - ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - required: - - template - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - maxProperties: 256 - type: object - labels: - additionalProperties: - type: string - maxProperties: 256 - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - minLength: 1 - type: string - type: array - required: - - command - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - minimum: 0 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - pattern: ^[-_A-Za-z0-9]+$ - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - scheme: - type: string - x-kubernetes-validations: - - message: scheme must be one of [HTTP, HTTPS] - rule: self in ['', 'HTTP', 'HTTPS'] - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - minimum: 0 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - minimum: 0 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - minimum: 0 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - minimum: 0 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == - ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - required: - - template - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - maxProperties: 256 - type: object - labels: - additionalProperties: - type: string - maxProperties: 256 - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - minLength: 1 - type: string - type: array - required: - - command - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - minimum: 0 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - pattern: ^[-_A-Za-z0-9]+$ - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - scheme: - type: string - x-kubernetes-validations: - - message: scheme must be one of [HTTP, HTTPS] - rule: self in ['', 'HTTP', 'HTTPS'] - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - minimum: 0 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - minimum: 0 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - minimum: 0 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - minimum: 0 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == - ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - required: - - template - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: istio-ingressgateway - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istio-ingress-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-service-account - namespace: istio-system - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: istio-reader - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-reader - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: base-1.24.3 - release: istio - name: istio-reader-service-account - namespace: istio-system - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istiod - namespace: istio-system - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: istio-reader - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-reader - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istio-reader-clusterrole-istio-system -rules: -- apiGroups: - - config.istio.io - - security.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - - telemetry.istio.io - - extensions.istio.io - resources: - - '*' - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - endpoints - - pods - - services - - nodes - - replicationcontrollers - - namespaces - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - networking.istio.io - resources: - - workloadentries - verbs: - - get - - watch - - list -- apiGroups: - - networking.x-k8s.io - - gateway.networking.k8s.io - resources: - - gateways - verbs: - - get - - watch - - list -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - multicluster.x-k8s.io - resources: - - serviceexports - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - multicluster.x-k8s.io - resources: - - serviceimports - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istiod-clusterrole-istio-system -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - update -- apiGroups: - - config.istio.io - - security.istio.io - - networking.istio.io - - authentication.istio.io - - rbac.istio.io - - telemetry.istio.io - - extensions.istio.io - resources: - - '*' - verbs: - - get - - watch - - list -- apiGroups: - - networking.istio.io - resources: - - workloadentries - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - networking.istio.io - resources: - - workloadentries/status - - serviceentries/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - security.istio.io - resources: - - authorizationpolicies/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - "" - resources: - - services/status - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - - nodes - - services - - namespaces - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - gateway.networking.k8s.io - resources: - - '*' - verbs: - - get - - watch - - list -- apiGroups: - - gateway.networking.k8s.io - resources: - - backendtlspolicies/status - - gatewayclasses/status - - gateways/status - - grpcroutes/status - - httproutes/status - - referencegrants/status - - tcproutes/status - - tlsroutes/status - - udproutes/status - verbs: - - update - - patch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - verbs: - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - watch - - list -- apiGroups: - - multicluster.x-k8s.io - resources: - - serviceexports - verbs: - - get - - watch - - list - - create - - delete -- apiGroups: - - multicluster.x-k8s.io - resources: - - serviceimports - verbs: - - get - - watch - - list - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istiod-gateway-controller-istio-system -rules: -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - watch - - list - - update - - patch - - create - - delete -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - watch - - list - - update - - patch - - create - - delete - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: istio-reader - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-reader - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istio-reader-clusterrole-istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole-istio-system -subjects: -- kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istiod-clusterrole-istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole-istio-system -subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istiod-gateway-controller-istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller-istio-system -subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - istio: istiod - istio.io/rev: default - release: istio - name: istio-validator-istio-system -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: istiod - namespace: istio-system - path: /validate - failurePolicy: Ignore - name: rev.validation.istio.io - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default - rules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*' - sideEffects: None - ---- -apiVersion: v1 -data: - mesh: |- - defaultConfig: - discoveryAddress: istiod.istio-system.svc:15012 - defaultProviders: - metrics: - - prometheus - enablePrometheusMerge: true - rootNamespace: istio-system - trustDomain: cluster.local - meshNetworks: 'networks: {}' -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: Pilot - release: istio - name: istio - namespace: istio-system - ---- -apiVersion: v1 -data: - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - defaultTemplates: [sidecar] - policy: enabled - alwaysInjectSelector: - [] - neverInjectSelector: - [] - injectedAnnotations: - template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" - templates: - sidecar: | - {{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - {{- end }} - {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - {{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} - {{- end }} - } - spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ else if .Values.global.proxy_init.forceApplyIptables -}} - - "--force-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - gateway: | - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - grpc-simple: | - metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" - spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} - grpc-agent: | - {{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - {{- end }} - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } - spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - {{- range $index, $container := .Spec.Containers }} - {{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - waypoint: | - apiVersion: v1 - kind: ServiceAccount - metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 8}} - spec: - {{- if .Values.global.waypoint.affinity }} - affinity: - {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.nodeSelector }} - nodeSelector: - {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.global.waypoint.tolerations }} - tolerations: - {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - {{- if not (eq .Values.global.platform "openshift") }} - runAsGroup: 1337 - runAsUser: 1337 - {{- end }} - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - --- - apiVersion: v1 - kind: Service - metadata: - annotations: - {{ toJsonMap - (strdict "networking.istio.io/traffic-distribution" "PreferClose") - (omit .InfrastructureAnnotations - "kubectl.kubernetes.io/last-applied-configuration" - "gateway.istio.io/name-override" - "gateway.istio.io/service-account" - "gateway.istio.io/controller-version" - ) | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} - --- - kube-gateway: | - apiVersion: v1 - kind: ServiceAccount - metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} - --- - apiVersion: apps/v1 - kind: Deployment - metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" - spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15020 - name: metrics - protocol: TCP - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - --- - apiVersion: v1 - kind: Service - metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} - spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} - --- - values: |- - { - "gateways": { - "seccompProfile": {}, - "securityContext": {} - }, - "global": { - "caAddress": "", - "caName": "", - "certSigners": [], - "configCluster": false, - "configValidation": true, - "defaultPodDisruptionBudget": { - "enabled": true - }, - "defaultResources": { - "requests": { - "cpu": "10m" - } - }, - "externalIstiod": false, - "hub": "docker.io/istio", - "imagePullPolicy": "", - "imagePullSecrets": [], - "istioNamespace": "istio-system", - "istiod": { - "enableAnalysis": false - }, - "logAsJson": false, - "logging": { - "level": "default:info" - }, - "meshID": "", - "meshNetworks": {}, - "mountMtlsCerts": false, - "multiCluster": { - "clusterName": "", - "enabled": false - }, - "network": "", - "omitSidecarInjectorConfigMap": false, - "operatorManageWebhooks": false, - "pilotCertProvider": "istiod", - "priorityClassName": "", - "proxy": { - "autoInject": "enabled", - "clusterDomain": "cluster.local", - "componentLogLevel": "misc:error", - "excludeIPRanges": "", - "excludeInboundPorts": "", - "excludeOutboundPorts": "", - "image": "proxyv2", - "includeIPRanges": "*", - "includeInboundPorts": "*", - "includeOutboundPorts": "", - "logLevel": "warning", - "outlierLogPath": "", - "privileged": false, - "readinessFailureThreshold": 4, - "readinessInitialDelaySeconds": 0, - "readinessPeriodSeconds": 15, - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "10m", - "memory": "128Mi" - } - }, - "startupProbe": { - "enabled": true, - "failureThreshold": 600 - }, - "statusPort": 15020, - "tracer": "none" - }, - "proxy_init": { - "forceApplyIptables": false, - "image": "proxyv2" - }, - "remotePilotAddress": "", - "sds": { - "token": { - "aud": "istio-ca" - } - }, - "sts": { - "servicePort": 0 - }, - "tag": "1.24.3", - "variant": "", - "waypoint": { - "affinity": {}, - "nodeSelector": {}, - "resources": { - "limits": { - "cpu": "2", - "memory": "1Gi" - }, - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "tolerations": [], - "topologySpreadConstraints": [] - } - }, - "pilot": { - "cni": { - "enabled": false, - "provider": "default" - } - }, - "revision": "", - "sidecarInjectorWebhook": { - "alwaysInjectSelector": [], - "defaultTemplates": [], - "enableNamespacesByDefault": false, - "injectedAnnotations": {}, - "neverInjectSelector": [], - "reinvocationPolicy": "Never", - "rewriteAppHTTPProbe": true, - "templates": {} - } - } -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: Pilot - release: istio - name: istio-sidecar-injector - namespace: istio-system - ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - labels: - app: sidecar-injector - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: Pilot - release: istio - name: istio-sidecar-injector -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - failurePolicy: Fail - name: rev.namespace.sidecar-injector.istio.io - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - default - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - reinvocationPolicy: Never - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - failurePolicy: Fail - name: rev.object.sidecar-injector.istio.io - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - default - reinvocationPolicy: Never - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - failurePolicy: Fail - name: namespace.sidecar-injector.istio.io - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - reinvocationPolicy: Never - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: istiod - namespace: istio-system - path: /inject - port: 443 - failurePolicy: Fail - name: object.sidecar-injector.istio.io - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - reinvocationPolicy: Never - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istio-ingressgateway - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istio-ingress-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - istio.io/rev: default - prometheus.io/path: /stats/prometheus - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - labels: - app: istio-ingressgateway - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - chart: gateways - helm.sh/chart: istio-ingress-1.24.3 - heritage: Tiller - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - service.istio.io/canonical-name: istio-ingressgateway - service.istio.io/canonical-revision: latest - sidecar.istio.io/inject: "false" - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: null - requiredDuringSchedulingIgnoredDuringExecution: null - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - istio-ingressgateway - topologyKey: failure-domain.beta.kubernetes.io/zone - weight: 100 - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.24.3 - name: istio-proxy - ports: - - containerPort: 10001 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 15021 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - securityContext: - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - serviceAccountName: istio-ingressgateway-service-account - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: pilot - istio.io/rev: default - operator.istio.io/component: Pilot - release: istio - name: istiod - namespace: istio-system -spec: - selector: - matchLabels: - istio: pilot - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: pilot - istio.io/dataplane-mode: none - istio.io/rev: default - operator.istio.io/component: Pilot - sidecar.istio.io/inject: "false" - spec: - containers: - - args: - - discovery - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --keepaliveMaxServerConnectionAge - - 30m - env: - - name: REVISION - value: default - - name: PILOT_CERT_PROVIDER - value: istiod - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - - name: CA_TRUSTED_NODE_ACCOUNTS - value: istio-system/ztunnel - - name: PILOT_TRACE_SAMPLING - value: "1" - - name: PILOT_ENABLE_ANALYSIS - value: "false" - - name: CLUSTER_ID - value: Kubernetes - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - divisor: "1" - resource: limits.cpu - - name: PLATFORM - value: "" - image: docker.io/istio/pilot:1.24.3 - name: discovery - ports: - - containerPort: 8080 - name: http-debug - protocol: TCP - - containerPort: 15010 - name: grpc-xds - protocol: TCP - - containerPort: 15012 - name: tls-xds - protocol: TCP - - containerPort: 15017 - name: https-webhooks - protocol: TCP - - containerPort: 15014 - name: http-monitoring - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - resources: - requests: - cpu: 100m - memory: 150Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/run/secrets/istio-dns - name: local-certs - - mountPath: /etc/cacerts - name: cacerts - readOnly: true - - mountPath: /var/run/secrets/remote - name: istio-kubeconfig - readOnly: true - - mountPath: /var/run/secrets/istiod/tls - name: istio-csr-dns-cert - readOnly: true - - mountPath: /var/run/secrets/istiod/ca - name: istio-csr-ca-configmap - readOnly: true - serviceAccountName: istiod - tolerations: - - key: cni.istio.io/not-ready - operator: Exists - volumes: - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: cacerts - secret: - optional: true - secretName: cacerts - - name: istio-kubeconfig - secret: - optional: true - secretName: istio-kubeconfig - - name: istio-csr-dns-cert - secret: - optional: true - secretName: istiod-tls - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - optional: true - name: istio-csr-ca-configmap - ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - labels: - app: istio-ingressgateway - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istio-ingress-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: pilot - istio.io/rev: default - operator.istio.io/component: Pilot - release: istio - name: istiod - namespace: istio-system -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - istio: pilot - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istio-ingress-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - watch - - list - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istiod - namespace: istio-system -rules: -- apiGroups: - - networking.istio.io - resources: - - gateways - verbs: - - create -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - watch - - list - - update - - delete -- apiGroups: - - "" - resources: - - configmaps - verbs: - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - update - - patch - - create - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istio-ingress-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-ingressgateway-sds -subjects: -- kind: ServiceAccount - name: istio-ingressgateway-service-account - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - release: istio - name: istiod - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod -subjects: -- kind: ServiceAccount - name: istiod - namespace: istio-system - ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: istio-ingressgateway - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istio-ingress-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - averageUtilization: 80 - type: Utilization - type: Resource - minReplicas: 2 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: Pilot - release: istio - name: istiod - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - averageUtilization: 80 - type: Utilization - type: Resource - minReplicas: 2 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod - ---- -apiVersion: v1 -kind: Service -metadata: - annotations: null - labels: - app: istio-ingressgateway - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istio-ingressgateway - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istio-ingress-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - ports: - - name: httpd-healthcheck - port: 10001 - targetPort: 10001 - - name: http - port: 80 - targetPort: 8080 - - name: https - port: 443 - targetPort: 8443 - - name: status-port - port: 15021 - targetPort: 15021 - selector: - app: istio-ingressgateway - istio: ingressgateway - type: LoadBalancer - ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: istiod - app.kubernetes.io/instance: istio - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: istiod - app.kubernetes.io/part-of: istio - app.kubernetes.io/version: 1.24.3 - helm.sh/chart: istiod-1.24.3 - install.operator.istio.io/owning-resource: unknown - istio: pilot - istio.io/rev: default - operator.istio.io/component: Pilot - release: istio - name: istiod - namespace: istio-system -spec: - ports: - - name: grpc-xds - port: 15010 - protocol: TCP - - name: https-dns - port: 15012 - protocol: TCP - - name: https-webhook - port: 443 - protocol: TCP - targetPort: 15017 - - name: http-monitoring - port: 15014 - protocol: TCP - selector: - app: istiod - istio: pilot - ---- diff --git a/kubernetes/istio/istio-operator.yml b/kubernetes/istio/istio-operator.yml deleted file mode 100644 index afc7209..0000000 --- a/kubernetes/istio/istio-operator.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - namespace: istio-system -spec: - profile: default - components: - ingressGateways: - - enabled: true - name: istio-ingressgateway - k8s: - hpaSpec: - minReplicas: 2 # default 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - service: - ports: - # Whatever is listed as the first port in a Service of - # type LoadBalancer is picked to be the port used for - # health checks. 10001 is the port of httpd-healthcheck. - - name: httpd-healthcheck - port: 10001 - targetPort: 10001 - - name: http - port: 80 - targetPort: 8080 - - name: https - port: 443 - targetPort: 8443 - # Istio readiness port of gateways - - name: status-port - port: 15021 - targetPort: 15021 - pilot: - k8s: - hpaSpec: - minReplicas: 2 - resources: - requests: - cpu: 100m - memory: 150Mi - values: - gateways: - istio-egressgateway: - enabled: false - istio-ingressgateway: - enabled: true - podAntiAffinityTermLabelSelector: - - key: app - operator: In - values: istio-ingressgateway - topologyKey: "failure-domain.beta.kubernetes.io/zone" - global: - configValidation: true - defaultPodDisruptionBudget: - enabled: true - defaultResources: - requests: - cpu: 10m - proxy: - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 128Mi diff --git a/kubernetes/metallb/README.md b/kubernetes/metallb/README.md deleted file mode 100644 index 7d274fb..0000000 --- a/kubernetes/metallb/README.md +++ /dev/null @@ -1,27 +0,0 @@ -[[Back to Index Page](../README.md)] - -# MetalLB - -See https://metallb.org/ - -## What's so great about MetalLB? - -Kubernetes does not offer an implementation of network load-balancers (Services of type LoadBalancer) for bare metal clusters. - -MetalLB aims to redress this imbalance by offering a network LB implementation that integrates with standard network equipment, so that external services on bare metal clusters "just work". - -## Install MetalLB - -Enable strict ARP mode. - -```bash -kubectl get configmap kube-proxy -n kube-system -o yaml | \ -sed -e "s/strictARP: false/strictARP: true/" | \ -kubectl apply -f - -n kube-system -``` - -Update the config map [`metallb-config-map.yml`](./metallb-config-map.yml) and specify the IP address range. Deploy MetalLB network load-balancer: - -```bash -kubectl apply -f ./metallb -``` diff --git a/kubernetes/metallb/helm-values.yaml b/kubernetes/metallb/helm-values.yaml new file mode 100644 index 0000000..7b0d30b --- /dev/null +++ b/kubernetes/metallb/helm-values.yaml @@ -0,0 +1,18 @@ +--- +controller: + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 32Mi +speaker: + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 32Mi +... diff --git a/kubernetes/metallb/ipaddresspool.yml b/kubernetes/metallb/ipaddresspool.yml new file mode 100644 index 0000000..c96cd6e --- /dev/null +++ b/kubernetes/metallb/ipaddresspool.yml @@ -0,0 +1,18 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: homelab-pool + namespace: metallb-system +spec: + addresses: + - 10.11.1.51-10.11.1.59 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: homelab-pool + namespace: metallb-system + ipAddressPools: + - homelab-pool +... diff --git a/kubernetes/metallb/metallb-config-map.yml b/kubernetes/metallb/metallb-config-map.yml deleted file mode 100644 index 5e328d1..0000000 --- a/kubernetes/metallb/metallb-config-map.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: config - namespace: metallb-system - labels: - app: metallb -data: - config: | - address-pools: - - name: default - protocol: layer2 - addresses: - - 10.11.1.51-10.11.1.59 diff --git a/kubernetes/metallb/metallb-deployment.yml b/kubernetes/metallb/metallb-deployment.yml deleted file mode 100644 index ab75a82..0000000 --- a/kubernetes/metallb/metallb-deployment.yml +++ /dev/null @@ -1,498 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - labels: - app: metallb - name: controller - namespace: metallb-system -spec: - allowPrivilegeEscalation: false - allowedCapabilities: [] - allowedHostPaths: [] - defaultAddCapabilities: [] - defaultAllowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - hostIPC: false - hostNetwork: false - hostPID: false - privileged: false - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - runAsUser: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - secret - - emptyDir ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - labels: - app: metallb - name: speaker - namespace: metallb-system -spec: - allowPrivilegeEscalation: false - allowedCapabilities: - - NET_RAW - allowedHostPaths: [] - defaultAddCapabilities: [] - defaultAllowPrivilegeEscalation: false - fsGroup: - rule: RunAsAny - hostIPC: false - hostNetwork: true - hostPID: false - hostPorts: - - max: 7472 - min: 7472 - - max: 7946 - min: 7946 - privileged: true - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - secret - - emptyDir ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: metallb - name: controller - namespace: metallb-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: metallb - name: speaker - namespace: metallb-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: metallb - name: metallb-system:controller -rules: -- apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - '' - resources: - - services/status - verbs: - - update -- apiGroups: - - '' - resources: - - events - verbs: - - create - - patch -- apiGroups: - - policy - resourceNames: - - controller - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: metallb - name: metallb-system:speaker -rules: -- apiGroups: - - '' - resources: - - services - - endpoints - - nodes - verbs: - - get - - list - - watch -- apiGroups: ["discovery.k8s.io"] - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - '' - resources: - - events - verbs: - - create - - patch -- apiGroups: - - policy - resourceNames: - - speaker - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: metallb - name: config-watcher - namespace: metallb-system -rules: -- apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: metallb - name: pod-lister - namespace: metallb-system -rules: -- apiGroups: - - '' - resources: - - pods - verbs: - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app: metallb - name: controller - namespace: metallb-system -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - create -- apiGroups: - - '' - resources: - - secrets - resourceNames: - - memberlist - verbs: - - list -- apiGroups: - - apps - resources: - - deployments - resourceNames: - - controller - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: metallb - name: metallb-system:controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metallb-system:controller -subjects: -- kind: ServiceAccount - name: controller - namespace: metallb-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: metallb - name: metallb-system:speaker -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metallb-system:speaker -subjects: -- kind: ServiceAccount - name: speaker - namespace: metallb-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: metallb - name: config-watcher - namespace: metallb-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: config-watcher -subjects: -- kind: ServiceAccount - name: controller -- kind: ServiceAccount - name: speaker ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: metallb - name: pod-lister - namespace: metallb-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: pod-lister -subjects: -- kind: ServiceAccount - name: speaker ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: metallb - name: controller - namespace: metallb-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: controller -subjects: -- kind: ServiceAccount - name: controller ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app: metallb - component: speaker - name: speaker - namespace: metallb-system -spec: - selector: - matchLabels: - app: metallb - component: speaker - template: - metadata: - annotations: - prometheus.io/port: '7472' - prometheus.io/scrape: 'true' - labels: - app: metallb - component: speaker - spec: - containers: - - args: - - --port=7472 - - --config=config - - --log-level=info - env: - - name: METALLB_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: METALLB_HOST - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: METALLB_ML_BIND_ADDR - valueFrom: - fieldRef: - fieldPath: status.podIP - # needed when another software is also using memberlist / port 7946 - # when changing this default you also need to update the container ports definition - # and the PodSecurityPolicy hostPorts definition - #- name: METALLB_ML_BIND_PORT - # value: "7946" - - name: METALLB_ML_LABELS - value: "app=metallb,component=speaker" - - name: METALLB_ML_SECRET_KEY - valueFrom: - secretKeyRef: - name: memberlist - key: secretkey - image: quay.io/metallb/speaker:v0.12.1 - imagePullPolicy: IfNotPresent - name: speaker - ports: - - containerPort: 7472 - name: monitoring - - containerPort: 7946 - name: memberlist-tcp - - containerPort: 7946 - name: memberlist-udp - protocol: UDP - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 11m - memory: 64Mi - livenessProbe: - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_RAW - drop: - - ALL - readOnlyRootFilesystem: true - hostNetwork: true - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: speaker - terminationGracePeriodSeconds: 2 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: metallb - component: controller - name: controller - namespace: metallb-system -spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app: metallb - component: controller - template: - metadata: - annotations: - prometheus.io/port: '7472' - prometheus.io/scrape: 'true' - labels: - app: metallb - component: controller - spec: - containers: - - args: - - --port=7472 - - --config=config - - --log-level=info - env: - - name: METALLB_ML_SECRET_NAME - value: memberlist - - name: METALLB_DEPLOYMENT - value: controller - image: quay.io/metallb/controller:v0.12.1 - imagePullPolicy: IfNotPresent - name: controller - ports: - - containerPort: 7472 - name: monitoring - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 10m - memory: 36Mi - livenessProbe: - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /metrics - port: monitoring - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - nodeSelector: - kubernetes.io/os: linux - securityContext: - runAsNonRoot: true - runAsUser: 65534 - fsGroup: 65534 - serviceAccountName: controller - terminationGracePeriodSeconds: 0 diff --git a/kubernetes/metallb/metallb-secret.yml b/kubernetes/metallb/metallb-secret.yml deleted file mode 100644 index d6f65d8..0000000 --- a/kubernetes/metallb/metallb-secret.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: memberlist - namespace: metallb-system - labels: - app: metallb -type: Opaque -data: - # Secret generated using: openssl rand -base64 128 - secretkey: >- - ellVL3IyekRnYlVKR2dMUWsvTzFGMmxkOUtYVUdNRXFiKzlLSVU3ZXNyODdnNmlnZGU0U1pyZzNycmNGOGVoYgpIWUtIaDJhVG1FWWtqREhQUTRlOEFGMjlvT2pBQU1jWHowQ2s5NFVxTGordi9paWQyR3RQK2YxZUpIaThiVUZrCjNSaCtSWlJHM2l4bnRiTE1NcExwUmN4bysxc21ydS9WcEtEUnNSV1I0Ync9 diff --git a/kubernetes/metallb/namespace.yml b/kubernetes/metallb/namespace.yml deleted file mode 100644 index 82d8171..0000000 --- a/kubernetes/metallb/namespace.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: metallb-system - labels: - app: metallb diff --git a/terraform/resources-cni/.gitignore b/terraform/resources-cni/.gitignore new file mode 100644 index 0000000..9e604fc --- /dev/null +++ b/terraform/resources-cni/.gitignore @@ -0,0 +1 @@ +**/.terraform/* diff --git a/terraform/resources-cni/backend.tf b/terraform/resources-cni/backend.tf new file mode 100644 index 0000000..46d1240 --- /dev/null +++ b/terraform/resources-cni/backend.tf @@ -0,0 +1,10 @@ +terraform { + backend "s3" { + region = "eu-west-2" + bucket = "terraform-homelab-remote-state" + key = "resources-cni.tfstate" + dynamodb_table = "terraform-homelab-remote-state-lock" + encrypt = true + profile = "terraform_homelab" + } +} diff --git a/terraform/resources-cni/k8s-calico.tf b/terraform/resources-cni/k8s-calico.tf new file mode 100644 index 0000000..b7b390e --- /dev/null +++ b/terraform/resources-cni/k8s-calico.tf @@ -0,0 +1,13 @@ +# helm pull projectcalico/tigera-operator --untar --untardir tigera-operator +resource "helm_release" "calico" { + name = "calico" + chart = "tigera-operator" + repository = "https://docs.tigera.io/calico/charts" + namespace = "tigera-operator" + create_namespace = true + version = "v3.30.2" + + values = [ + file("../../kubernetes/calico/helm-values.yaml") + ] +} diff --git a/terraform/resources-cni/provider.tf b/terraform/resources-cni/provider.tf new file mode 100644 index 0000000..d1cee21 --- /dev/null +++ b/terraform/resources-cni/provider.tf @@ -0,0 +1,18 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.100.0" + } + helm = { + source = "hashicorp/helm" + version = "3.0.0" + } + } +} + +provider "helm" { + kubernetes = { + config_path = "~/.kube/config" + } +} diff --git a/terraform/resources-core/.gitignore b/terraform/resources-core/.gitignore new file mode 100644 index 0000000..9e604fc --- /dev/null +++ b/terraform/resources-core/.gitignore @@ -0,0 +1 @@ +**/.terraform/* diff --git a/terraform/resources-core/backend.tf b/terraform/resources-core/backend.tf new file mode 100644 index 0000000..ca4e353 --- /dev/null +++ b/terraform/resources-core/backend.tf @@ -0,0 +1,10 @@ +terraform { + backend "s3" { + region = "eu-west-2" + bucket = "terraform-homelab-remote-state" + key = "resources-core.tfstate" + dynamodb_table = "terraform-homelab-remote-state-lock" + encrypt = true + profile = "terraform_homelab" + } +} diff --git a/terraform/resources-core/k8s-httpd-healthcheck.tf b/terraform/resources-core/k8s-httpd-healthcheck.tf new file mode 100644 index 0000000..860c8b3 --- /dev/null +++ b/terraform/resources-core/k8s-httpd-healthcheck.tf @@ -0,0 +1,22 @@ +resource "kubernetes_namespace" "httpd-healthcheck" { + metadata { + name = "httpd-healthcheck" + labels = { + istio-injection = "enabled" + } + } +} + +data "kubectl_path_documents" "httpd_healthcheck" { + pattern = "../../kubernetes/httpd-healthcheck/*.yml" + disable_template = true +} + +resource "kubectl_manifest" "httpd_healthcheck" { + for_each = data.kubectl_path_documents.httpd_healthcheck.manifests + yaml_body = each.value + + depends_on = [ + kubernetes_namespace.httpd-healthcheck + ] +} diff --git a/terraform/resources-core/k8s-istio.tf b/terraform/resources-core/k8s-istio.tf new file mode 100644 index 0000000..9fa8dda --- /dev/null +++ b/terraform/resources-core/k8s-istio.tf @@ -0,0 +1,50 @@ +resource "kubernetes_namespace" "istio-system" { + metadata { + name = "istio-system" + } +} + +# https://istio.io/latest/docs/setup/install/helm/ +resource "helm_release" "istio-base" { + name = "istio-base" + chart = "base" + repository = "https://istio-release.storage.googleapis.com/charts" + namespace = kubernetes_namespace.istio-system.metadata[0].name + version = "1.26.2" +} + +resource "helm_release" "istiod" { + name = "istiod" + chart = "istiod" + repository = "https://istio-release.storage.googleapis.com/charts" + namespace = helm_release.istio-base.namespace + version = "1.26.2" + + values = [ + file("../../kubernetes/istio/helm-istiod-values.yaml") + ] +} + +resource "kubernetes_namespace" "istio-ingress" { + metadata { + name = "istio-ingress" + labels = { + istio-injection = "enabled" + } + } +} + +resource "helm_release" "istio-ingress" { + name = "istio-ingress" + chart = "gateway" + repository = "https://istio-release.storage.googleapis.com/charts" + namespace = kubernetes_namespace.istio-ingress.metadata[0].name + version = "1.26.2" + values = [ + file("../../kubernetes/istio/helm-ingressgateway-values.yaml") + ] + + depends_on = [ + helm_release.istiod + ] +} diff --git a/terraform/resources-core/k8s-metallb.tf b/terraform/resources-core/k8s-metallb.tf new file mode 100644 index 0000000..454a889 --- /dev/null +++ b/terraform/resources-core/k8s-metallb.tf @@ -0,0 +1,27 @@ +resource "helm_release" "metallb" { + name = "metallb" + chart = "metallb" + repository = "https://metallb.github.io/metallb" + namespace = "metallb-system" + create_namespace = true + version = "0.15.2" + + values = [ + file("../../kubernetes/metallb/helm-values.yaml") + ] +} + +data "kubectl_path_documents" "metallb" { + pattern = "../../kubernetes/metallb/*.yml" + disable_template = true +} + +# MetalLB remains idle until configured +resource "kubectl_manifest" "metallb" { + for_each = data.kubectl_path_documents.metallb.manifests + yaml_body = each.value + + depends_on = [ + helm_release.metallb + ] +} diff --git a/terraform/resources-core/provider.tf b/terraform/resources-core/provider.tf new file mode 100644 index 0000000..cc36c84 --- /dev/null +++ b/terraform/resources-core/provider.tf @@ -0,0 +1,36 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.100.0" + } + helm = { + source = "hashicorp/helm" + version = "3.0.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.37.1" + } + kubectl = { + source = "gavinbunney/kubectl" + version = "1.19.0" + } + } +} + +provider "helm" { + kubernetes = { + config_path = "~/.kube/config" + } +} + +provider "kubernetes" { + config_path = "~/.kube/config" +} + +provider "kubectl" { + apply_retry_count = 5 + config_path = "~/.kube/config" + load_config_file = true +}