From 3cc8e7c3a8db6a4b2f70bed69609d4575d518b46 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Wed, 19 Jun 2024 08:12:21 -0400 Subject: [PATCH] bump istio 1.22.1 (#1336) --- go.mod | 6 +- go.sum | 8 +- .../istio-latest/generate-manifests.sh | 2 +- .../istio-latest/istio-ci-ambient/istio.yaml | 7535 ++++++++++++---- .../istio-latest/istio-ci-mesh/istio.yaml | 7873 +++++++++++++---- .../istio-latest/istio-ci-no-mesh/istio.yaml | 7873 +++++++++++++---- .../istio-kind-ambient/istio.yaml | 7535 ++++++++++++---- .../istio-kind-no-mesh/istio.yaml | 7873 +++++++++++++---- .../api/analysis/v1alpha1/message.pb.go | 2 +- .../istio.io/api/meta/v1alpha1/status.pb.go | 2 +- .../networking/v1beta1/destination_rule.pb.go | 410 +- .../networking/v1beta1/destination_rule.proto | 284 +- .../api/networking/v1beta1/gateway.pb.go | 353 +- .../api/networking/v1beta1/gateway.proto | 242 +- .../api/networking/v1beta1/proxy_config.pb.go | 6 +- .../networking/v1beta1/proxy_config.pb.html | 4 +- .../api/networking/v1beta1/proxy_config.proto | 4 +- .../networking/v1beta1/service_entry.pb.go | 370 +- .../networking/v1beta1/service_entry.proto | 368 +- .../api/networking/v1beta1/sidecar.pb.go | 203 +- .../api/networking/v1beta1/sidecar.proto | 201 +- .../networking/v1beta1/virtual_service.pb.go | 762 +- .../networking/v1beta1/virtual_service.proto | 650 +- .../networking/v1beta1/workload_entry.pb.go | 121 +- .../networking/v1beta1/workload_entry.proto | 119 +- .../networking/v1beta1/workload_group.pb.go | 42 +- .../networking/v1beta1/workload_group.proto | 40 +- .../istio.io/api/type/v1beta1/selector.pb.go | 16 +- .../api/type/v1beta1/selector.pb.html | 14 +- .../istio.io/api/type/v1beta1/selector.proto | 14 +- .../pkg/apis/networking/v1beta1/types.gen.go | 7 + vendor/modules.txt | 8 +- 32 files changed, 29944 insertions(+), 13003 deletions(-) diff --git a/go.mod b/go.mod index e849075589..b6af70a5d2 100644 --- a/go.mod +++ b/go.mod @@ -1,14 +1,14 @@ module knative.dev/net-istio -go 1.21 +go 1.22 require ( github.com/google/go-cmp v0.6.0 go.uber.org/zap v1.27.0 golang.org/x/sync v0.7.0 google.golang.org/protobuf v1.34.1 - istio.io/api v1.21.1 - istio.io/client-go v1.21.1 + istio.io/api v1.22.1-0.20240524024004-b6815be0740d + istio.io/client-go v1.22.1 k8s.io/api v0.29.2 k8s.io/apimachinery v0.29.2 k8s.io/client-go v0.29.2 diff --git a/go.sum b/go.sum index eefbde8170..20a6def70c 100644 --- a/go.sum +++ b/go.sum @@ -660,10 +660,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -istio.io/api v1.21.1 h1:CvpPFvJ6Mv/PUVoiVJBX7seZ90f0Sxu3g4jYVno+IqA= -istio.io/api v1.21.1/go.mod h1:TFCMUCAHRjxBv1CsIsFCsYHPHi4axVI4vdIzVr8eFjY= -istio.io/client-go v1.21.1 h1:gAZCeG4pV2o2L6WaD/MLruNB+tBxa+Y21BuRJmFYlAI= -istio.io/client-go v1.21.1/go.mod h1:mqwsapfu4b1FG47puY9H8y4+ga1+d+hxfdosNQ1HclY= +istio.io/api v1.22.1-0.20240524024004-b6815be0740d h1:2GncSQ55NOr91NYPmi0jqhVM7z7/xswJsD96dQMkN38= +istio.io/api v1.22.1-0.20240524024004-b6815be0740d/go.mod h1:S3l8LWqNYS9yT+d4bH+jqzH2lMencPkW7SKM1Cu9EyM= +istio.io/client-go v1.22.1 h1:78BUMxytD0muwpwHdcA9qTOTJXN0jib0mXmNLdXxj0c= +istio.io/client-go v1.22.1/go.mod h1:Z2QE9uMt6tDVyrmiLfLVhutbqtfUkPJ7A5Uw/p6gNFo= k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg= diff --git a/third_party/istio-latest/generate-manifests.sh b/third_party/istio-latest/generate-manifests.sh index a99aafe81b..eacdef9891 100755 --- a/third_party/istio-latest/generate-manifests.sh +++ b/third_party/istio-latest/generate-manifests.sh @@ -16,4 +16,4 @@ source "$(dirname $0)/../library.sh" -generate "1.21.1" "$(dirname $0)" +generate "1.22.1" "$(dirname $0)" diff --git a/third_party/istio-latest/istio-ci-ambient/istio.yaml b/third_party/istio-latest/istio-ci-ambient/istio.yaml index c583d26c15..30d832b522 100644 --- a/third_party/istio-latest/istio-ci-ambient/istio.yaml +++ b/third_party/istio-latest/istio-ci-ambient/istio.yaml @@ -136,6 +136,8 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io + - extensions.istio.io resources: - '*' verbs: @@ -678,10 +680,21 @@ spec: kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies + shortNames: + - ap singular: authorizationpolicy scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: @@ -696,7 +709,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -857,7 +873,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -872,6 +887,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -881,7 +914,16 @@ spec: storage: false subresources: status: {} - - name: v1beta1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: @@ -896,7 +938,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -1057,7 +1102,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -1072,6 +1116,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -1117,7 +1179,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: properties: @@ -1153,7 +1215,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1210,6 +1275,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1290,16 +1357,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1317,6 +1387,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1345,6 +1417,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1364,6 +1438,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1371,10 +1447,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1402,7 +1482,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1459,6 +1542,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1539,16 +1624,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1566,6 +1654,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1594,6 +1684,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1613,6 +1705,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1620,10 +1714,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1645,6 +1743,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -1653,6 +1753,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1664,7 +1767,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1689,7 +1795,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -1701,6 +1810,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1712,7 +1824,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1742,6 +1857,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -1761,7 +1878,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1818,6 +1938,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1898,16 +2020,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1925,6 +2050,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1953,6 +2080,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1972,6 +2101,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1979,10 +2110,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2010,7 +2145,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2067,6 +2205,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2147,16 +2287,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2174,6 +2317,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2202,6 +2347,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2221,6 +2368,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2228,10 +2377,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2253,6 +2406,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2261,6 +2416,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2272,7 +2430,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2297,7 +2458,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2309,6 +2473,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2320,7 +2487,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2350,6 +2520,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2373,7 +2545,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -2385,7 +2557,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha3 schema: openAPIV3Schema: properties: @@ -2421,7 +2593,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2478,6 +2653,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2558,16 +2735,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2585,6 +2765,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2613,6 +2795,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2632,6 +2816,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2639,10 +2825,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2670,7 +2860,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2727,6 +2920,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2807,16 +3002,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2834,6 +3032,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2862,6 +3062,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2881,6 +3083,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2888,10 +3092,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2913,6 +3121,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2921,6 +3131,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2932,7 +3145,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2957,7 +3173,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2969,6 +3188,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2980,7 +3202,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3010,6 +3235,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -3029,7 +3256,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -3086,6 +3316,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3166,16 +3398,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3193,6 +3428,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3221,6 +3458,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3240,6 +3479,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3247,10 +3488,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3278,7 +3523,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -3335,6 +3583,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3415,16 +3665,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3442,6 +3695,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3470,6 +3725,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3489,6 +3746,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3496,10 +3755,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3521,6 +3784,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -3529,6 +3794,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3540,7 +3808,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3565,7 +3836,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -3577,6 +3851,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3588,7 +3865,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3618,6 +3898,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -3644,239 +3926,1658 @@ spec: storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: - configPatches: - description: One or more patches with match conditions. + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions of a service. items: properties: - applyTo: - description: Specifies where in the Envoy configuration, the patch should be applied. - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service in the service registry. + type: object + name: + description: Name of the subset. type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. + connectionPool: properties: - filterChain: - description: Match a specific filter chain in a listener. + http: + description: HTTP connection pool settings. properties: - applicationProtocols: - description: Applies only to sidecars. + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 type: integer - filter: - description: The name of a specific filter to apply the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. type: string - sni: - description: The SNI value used by a filter chain's match condition. + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + idleTimeout: + description: The idle timeout for TCP connections. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which traffic is being sent/received. - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. - type: string type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash properties: - gateway: - description: The Istio gateway config's namespace/name for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server port number for which this route configuration was generated. - type: integer - vhost: - description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: - name: - description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. - type: string - route: - description: Match a specific route within the virtual host. + httpCookie: + description: Hash based on HTTP cookie. properties: - action: - description: Match a route with specific action type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string name: - description: The Route objects generated by default are named as default. + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied within a context. - format: int32 - type: integer - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server port number for which this route configuration was generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object @@ -3886,36 +5587,181 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - name: v1alpha3 schema: openAPIV3Schema: @@ -3953,11 +5799,15 @@ spec: type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer required: - number @@ -3970,6 +5820,9 @@ spec: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3982,7 +5835,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3991,7 +5847,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -4000,7 +5859,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -4042,7 +5904,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - name: v1beta1 @@ -4082,11 +5944,15 @@ spec: type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer required: - number @@ -4099,6 +5965,9 @@ spec: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -4111,7 +5980,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -4120,7 +5992,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -4129,7 +6004,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -4171,7 +6049,234 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true subresources: status: {} --- @@ -4187,72 +6292,268 @@ metadata: istio: security release: istio knative.dev/crd-install: "true" - name: peerauthentications.security.istio.io + name: requestauthentications.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications shortNames: - - pa - singular: peerauthentication + - ra + singular: requestauthentication scope: Namespaced versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 + - name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' properties: - mtls: - description: Mutual TLS settings for workload. + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. type: string type: object - portLevelMtls: - additionalProperties: + targetRefs: + description: Optional. + items: properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. type: string type: object - description: Port specific mutual TLS settings. - type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array selector: - description: The selector determines the workloads to apply the PeerAuthentication on. + description: Optional. properties: matchLabels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -4274,51 +6575,444 @@ metadata: heritage: Tiller release: istio knative.dev/crd-install: "true" - name: proxyconfigs.networking.istio.io + name: serviceentries.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry scope: Namespaced versions: - - name: v1beta1 + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: + addresses: + description: The virtual IP addresses associated with the service. + items: type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. properties: - matchLabels: + labels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object + required: + - hosts type: object status: type: object @@ -4338,22 +7032,19 @@ metadata: app: istio-pilot chart: istio heritage: Tiller - istio: security release: istio knative.dev/crd-install: "true" - name: requestauthentications.security.istio.io + name: sidecars.networking.istio.io spec: - group: security.istio.io + group: networking.istio.io names: categories: - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar scope: Namespaced versions: - name: v1 @@ -4361,100 +7052,366 @@ spec: openAPIV3Schema: properties: spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. items: type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: - name: - description: The HTTP header name. + interval: + description: The time duration between keep-alive probes. type: string - prefix: - description: The prefix that should be stripped before decoding the token. + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string - required: - - name type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: type: string - header: - description: The name of the header to be created. + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. - type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object required: - - issuer + - port type: object type: array - selector: - description: Optional. + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: - matchLabels: + labels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object type: object status: type: object @@ -4464,253 +7421,364 @@ spec: storage: false subresources: status: {} - - name: v1beta1 + - name: v1alpha3 schema: openAPIV3Schema: properties: spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object + type: string type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. - type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object required: - - issuer + - hosts type: object type: array - selector: - description: Optional. + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without the port. - type: string - labels: - additionalProperties: + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. - type: string - ports: - additionalProperties: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: - name: - description: Label assigned to the port. + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object required: - - number - - name + - port type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object workloadSelector: - description: Applicable only for MESH_INTERNAL services. + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: @@ -4718,129 +7786,373 @@ spec: description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object - required: - - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 + - name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: - address: - description: Address associated with the network endpoint without the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer + required: + - hosts type: object type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: - name: - description: Label assigned to the port. + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object required: - - number - - name + - port type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object workloadSelector: - description: Applicable only for MESH_INTERNAL services. + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: @@ -4848,15 +8160,13 @@ spec: description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object - required: - - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -4869,346 +8179,635 @@ metadata: app: istio-pilot chart: istio heritage: Tiller + istio: telemetry release: istio knative.dev/crd-install: "true" - name: sidecars.networking.istio.io + name: telemetries.telemetry.istio.io spec: - group: networking.istio.io + group: telemetry.istio.io names: categories: - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry scope: Namespaced versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + accessLogging: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: - type: string + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - required: - - hosts + reportingInterval: + description: Optional. + type: string type: object type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + selector: + description: Optional. properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. type: object type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. + group: + description: group is the group of the target resource. type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE + kind: + description: kind is kind of the target resource. type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER type: string - targetPort: - type: integer type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' - items: + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. type: string + type: object + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + - CLIENT_AND_SERVER + - CLIENT + - SERVER type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. - items: + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. - items: + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 type: string - type: array - type: object - required: - - port + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string type: object type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + selector: + description: Optional. properties: - labels: + matchLabels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. type: object type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array type: object status: type: object @@ -5218,634 +8817,865 @@ spec: storage: true subresources: status: {} - - name: v1beta1 +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. items: properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight request can be cached. + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: - description: Label assigned to the port. + description: Name specifies the name of the delegate VirtualService. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. type: string - targetPort: + type: object + directResponse: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer + required: + - status type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. - type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. properties: - http: - description: HTTP connection pool settings. + abort: + description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + exponentialDelay: type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + percent: + description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + type: object + headers: + properties: + request: properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: type: string - maxConnectionDuration: - description: The maximum duration of a connection. + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex properties: - interval: - description: The time duration between keep-alive probes. + exact: type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). type: string type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + host: + description: The name of a service from the service registry. type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array + required: + - host type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - knative.dev/crd-install: "true" - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. + mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true - type: boolean - filter: - description: Optional. + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror operation. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort properties: - expression: - description: CEL expression for selecting when requests/connections should be logged. + authority: + description: On a redirect, overwrite the Authority/Host portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object - match: - description: Allows tailoring of logging behavior to specific conditions. + retries: + description: Retry policy for HTTP requests. properties: - mode: - description: This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean type: object - providers: - description: Optional. + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + type: string + uri: + description: rewrite the path (or the prefix) portion of the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string type: object type: array - metrics: - description: Optional. + tcp: + description: An ordered list of route rules for opaque TCP traffic. items: properties: - overrides: - description: Optional. + match: + description: Match conditions to be satisfied for the rule to be activated. items: properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' - description: Optional. + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string type: object type: array - providers: - description: Optional. + route: + description: The destination to which the connection should be forwarded to. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - reportingInterval: - description: Optional. - type: string type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - tracing: - description: Optional. + tls: + description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header + match: + description: Match conditions to be satisfied for the rule to be activated. + items: properties: - environment: - description: Environment adds the value of an environment variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from which to extract the tag value. - minLength: 1 - type: string - required: - - name + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object - header: - description: RequestHeader adds the value of an header from the request to each span. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract the tag value. - minLength: 1 + host: + description: The name of a service from the service registry. type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to each span. - properties: - value: - description: The tag value to use. - minLength: 1 + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string required: - - value + - host type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean + required: + - match type: object type: array type: object @@ -5854,36 +9684,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways @@ -6017,6 +9820,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6221,6 +10026,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -6353,6 +10160,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6362,9 +10171,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -6388,6 +10201,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6428,16 +10243,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -6498,6 +10320,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6572,6 +10396,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -6599,6 +10425,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6637,6 +10465,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -6669,6 +10499,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6695,7 +10527,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -6831,6 +10663,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -7035,6 +10869,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -7167,6 +11003,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7176,9 +11014,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -7202,6 +11044,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7242,16 +11086,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -7312,6 +11163,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7386,6 +11239,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -7413,6 +11268,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7451,6 +11308,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -7483,6 +11342,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7509,7 +11370,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7550,13 +11411,19 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: failStrategy: - description: Specifies the failure behavior for the plugin due to fatal errors. + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN enum: - FAIL_CLOSE - FAIL_OPEN type: string imagePullPolicy: - description: The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always enum: - UNSPECIFIED_POLICY - IfNotPresent @@ -7572,7 +11439,10 @@ spec: items: properties: mode: - description: Criteria for selecting traffic by their direction. + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER enum: - UNDEFINED - CLIENT @@ -7597,7 +11467,10 @@ spec: type: object type: array phase: - description: Determines where in the filter chain this `WasmPlugin` is to be injected. + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS enum: - UNSPECIFIED_PHASE - AUTHN @@ -7615,6 +11488,7 @@ spec: type: string priority: description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 nullable: true type: integer selector: @@ -7631,7 +11505,6 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -7646,8 +11519,29 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: - description: Specifies the type of Wasm Extension to be used. + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK enum: - UNSPECIFIED_PLUGIN_TYPE - HTTP @@ -7679,7 +11573,10 @@ spec: maxLength: 2048 type: string valueFrom: - description: Source for the environment variable's value. + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST enum: - INLINE - HOST @@ -7736,6 +11633,60 @@ spec: singular: workloadentry scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7768,6 +11719,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7776,6 +11729,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7783,7 +11738,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7818,6 +11773,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7826,6 +11783,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7833,7 +11792,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7861,6 +11820,163 @@ spec: singular: workloadgroup scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: '`WorkloadGroup` enables specifying the properties of a single workload for bootstrap and provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties of workloads via `Pod` templates.' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7937,6 +12053,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7961,6 +12079,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7989,6 +12109,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7997,6 +12119,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -8007,7 +12131,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -8086,6 +12210,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -8110,6 +12236,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -8138,6 +12266,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -8146,6 +12276,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -8156,7 +12288,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -8165,11 +12297,10 @@ data: mesh: |- defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 + image: + imageType: distroless proxyMetadata: ISTIO_META_ENABLE_HBONE: "true" - tracing: - zipkin: - address: zipkin.istio-system:9411 defaultProviders: metrics: - prometheus @@ -8194,7 +12325,7 @@ data: "cniVersion": "0.3.1", "name": "istio-cni", "type": "istio-cni", - "log_level": "info", + "log_level": "debug", "log_uds_address": "__LOG_UDS_ADDRESS__", "ambient_enabled": true, "cni_event_address": "__CNI_EVENT_ADDRESS__", @@ -8276,8 +12407,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} + {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -8301,7 +12432,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -8353,7 +12484,7 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ end -}} @@ -8371,14 +12502,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -8469,12 +12600,10 @@ data: - drain {{- end }} env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8673,10 +12802,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8729,7 +12856,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8737,7 +12863,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8829,8 +12954,6 @@ data: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8959,10 +13082,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8999,7 +13120,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9007,7 +13127,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9131,7 +13250,7 @@ data: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { - istio.io/rev: {{ .Revision | default "default" }}, + istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -9180,12 +13299,10 @@ data: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9302,10 +13419,8 @@ data: # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -9376,7 +13491,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9384,7 +13498,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9428,6 +13541,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9460,7 +13581,6 @@ data: (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict - "ambient.istio.io/redirection" "disabled" "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" @@ -9469,6 +13589,7 @@ data: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) @@ -9521,8 +13642,6 @@ data: valueFrom: fieldRef: fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9727,6 +13846,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9775,7 +13902,7 @@ data: "istio.io/gateway-name" .Name ) | nindent 8 }} spec: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} securityContext: sysctls: @@ -9796,7 +13923,7 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 capabilities: drop: @@ -9845,11 +13972,9 @@ data: {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9974,10 +14099,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: @@ -10008,7 +14131,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -10016,7 +14138,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -10089,7 +14210,6 @@ data: "istiod": { "enableAnalysis": false }, - "jwtPolicy": "third-party-jwt", "logAsJson": false, "logging": { "level": "default:info" @@ -10104,7 +14224,6 @@ data: "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "priorityClassName": "", @@ -10140,7 +14259,7 @@ data: "failureThreshold": 600 }, "statusPort": 15020, - "tracer": "zipkin" + "tracer": "none" }, "proxy_init": { "image": "proxyv2" @@ -10154,12 +14273,19 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.21.1", - "variant": "" + "tag": "1.22.1", + "variant": "distroless" }, "istio_cni": { "chained": true, - "enabled": true + "enabled": true, + "provider": "default" + }, + "pilot": { + "cni": { + "enabled": false, + "provider": "default" + } }, "revision": "", "sidecarInjectorWebhook": { @@ -10240,8 +14366,6 @@ spec: - --proxyComponentLogLevel=misc:error - --log_output_level=default:info env: - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR @@ -10297,7 +14421,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.21.1 + image: docker.io/istio/proxyv2:1.22.1-distroless name: istio-proxy ports: - containerPort: 15021 @@ -10430,7 +14554,6 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" @@ -10438,6 +14561,7 @@ spec: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot + istio.io/dataplane-mode: none istio.io/rev: default operator.istio.io/component: Pilot sidecar.istio.io/inject: "false" @@ -10454,8 +14578,6 @@ spec: env: - name: REVISION value: default - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME @@ -10477,13 +14599,7 @@ spec: value: /var/run/secrets/remote/config - name: CA_TRUSTED_NODE_ACCOUNTS value: istio-system/ztunnel,kube-system/ztunnel - - name: ENABLE_AUTO_SNI - value: "true" - - name: PILOT_ENABLE_AMBIENT_CONTROLLERS - value: "true" - - name: PILOT_ENABLE_HBONE - value: "true" - - name: VERIFY_CERTIFICATE_AT_CLIENT + - name: PILOT_ENABLE_AMBIENT value: "true" - name: PILOT_TRACE_SAMPLING value: "1" @@ -10501,7 +14617,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.21.1-distroless + image: docker.io/istio/pilot:1.22.1-distroless name: discovery ports: - containerPort: 8080 @@ -10547,6 +14663,9 @@ spec: name: istio-csr-ca-configmap readOnly: true serviceAccountName: istiod + tolerations: + - key: cni.istio.io/not-ready + operator: Exists volumes: - emptyDir: medium: Memory @@ -10918,12 +15037,12 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/path: /metrics prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: + istio.io/dataplane-mode: none k8s-app: istio-cni-node sidecar.istio.io/inject: "false" spec: @@ -10972,7 +15091,7 @@ spec: apiVersion: v1 fieldPath: spec.nodeName - name: LOG_LEVEL - value: info + value: debug - name: AMBIENT_ENABLED value: "true" - name: GOMEMLIMIT @@ -10983,7 +15102,7 @@ spec: valueFrom: resourceFieldRef: resource: limits.cpu - image: docker.io/istio/install-cni:1.21.1 + image: docker.io/istio/install-cni:1.22.1-distroless name: install-cni readinessProbe: httpGet: @@ -10997,8 +15116,8 @@ spec: capabilities: add: - NET_ADMIN - - SYS_ADMIN - NET_RAW + - SYS_ADMIN drop: - ALL privileged: true @@ -11074,12 +15193,12 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: app: ztunnel + istio.io/dataplane-mode: none sidecar.istio.io/inject: "false" spec: containers: @@ -11119,7 +15238,9 @@ spec: valueFrom: fieldRef: fieldPath: spec.serviceAccountName - image: docker.io/istio/ztunnel:1.21.1 + - name: ISTIO_META_ENABLE_HBONE + value: "true" + image: docker.io/istio/ztunnel:1.22.1-distroless name: istio-proxy ports: - containerPort: 15020 @@ -11131,8 +15252,8 @@ spec: port: 15021 resources: requests: - cpu: 500m - memory: 2048Mi + cpu: 200m + memory: 512Mi securityContext: allowPrivilegeEscalation: false capabilities: @@ -11154,6 +15275,8 @@ spec: name: istio-token - mountPath: /var/run/ztunnel name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical @@ -11181,6 +15304,8 @@ spec: path: /var/run/ztunnel type: DirectoryOrCreate name: cni-ztunnel-sock-dir + - emptyDir: {} + name: tmp updateStrategy: rollingUpdate: maxSurge: 1 diff --git a/third_party/istio-latest/istio-ci-mesh/istio.yaml b/third_party/istio-latest/istio-ci-mesh/istio.yaml index 44bc26efee..d994744355 100644 --- a/third_party/istio-latest/istio-ci-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-mesh/istio.yaml @@ -48,6 +48,8 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io + - extensions.istio.io resources: - '*' verbs: @@ -535,10 +537,21 @@ spec: kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies + shortNames: + - ap singular: authorizationpolicy scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: @@ -553,7 +566,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -714,7 +730,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -729,6 +744,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -738,7 +771,16 @@ spec: storage: false subresources: status: {} - - name: v1beta1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: @@ -753,7 +795,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -914,7 +959,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -929,6 +973,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -974,7 +1036,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: properties: @@ -1010,7 +1072,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1067,6 +1132,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1147,16 +1214,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1174,6 +1244,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1202,6 +1274,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1221,6 +1295,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1228,10 +1304,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1259,7 +1339,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1316,6 +1399,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1396,16 +1481,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1423,6 +1511,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1451,6 +1541,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1470,6 +1562,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1477,10 +1571,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1502,6 +1600,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -1510,6 +1610,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1521,7 +1624,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1546,7 +1652,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -1558,6 +1667,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1569,7 +1681,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1599,6 +1714,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -1618,7 +1735,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1675,6 +1795,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1755,16 +1877,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1782,6 +1907,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1810,6 +1937,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1829,6 +1958,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1836,10 +1967,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1867,7 +2002,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1924,6 +2062,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2004,16 +2144,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2031,6 +2174,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2059,6 +2204,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2078,6 +2225,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2085,10 +2234,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2110,6 +2263,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2118,6 +2273,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2129,7 +2287,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2154,7 +2315,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2166,6 +2330,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2177,7 +2344,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2207,6 +2377,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2230,7 +2402,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -2242,7 +2414,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha3 schema: openAPIV3Schema: properties: @@ -2278,7 +2450,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2335,6 +2510,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2415,16 +2592,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2442,6 +2622,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2470,6 +2652,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2489,6 +2673,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2496,10 +2682,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2527,7 +2717,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2584,6 +2777,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2664,16 +2859,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2691,6 +2889,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2719,6 +2919,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2738,6 +2940,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2745,10 +2949,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2770,6 +2978,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2778,6 +2988,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2789,7 +3002,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2814,7 +3030,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2826,6 +3045,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2837,7 +3059,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2867,6 +3092,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2886,7 +3113,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2943,6 +3173,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3023,16 +3255,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3050,6 +3285,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3078,6 +3315,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3097,6 +3336,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3104,10 +3345,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3135,7 +3380,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -3192,6 +3440,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3272,16 +3522,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3299,6 +3552,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3327,6 +3582,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3346,6 +3603,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3353,10 +3612,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3378,6 +3641,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -3386,6 +3651,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3397,7 +3665,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3422,7 +3693,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -3434,6 +3708,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3445,7 +3722,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3475,6 +3755,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -3501,239 +3783,3489 @@ spec: storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: - configPatches: - description: One or more patches with match conditions. + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions of a service. items: properties: - applyTo: - description: Specifies where in the Envoy configuration, the patch should be applied. - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service in the service registry. + type: object + name: + description: Name of the subset. type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. + connectionPool: properties: - filterChain: - description: Match a specific filter chain in a listener. + http: + description: HTTP connection pool settings. properties: - applicationProtocols: - description: Applies only to sidecars. + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 type: integer - filter: - description: The name of a specific filter to apply the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. type: string - sni: - description: The SNI value used by a filter chain's match condition. + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + idleTimeout: + description: The idle timeout for TCP connections. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which traffic is being sent/received. - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. - type: string type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash properties: - gateway: - description: The Istio gateway config's namespace/name for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server port number for which this route configuration was generated. - type: integer - vhost: - description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: - name: - description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. - type: string - route: - description: Match a specific route within the virtual host. + httpCookie: + description: Hash based on HTTP cookie. properties: - action: - description: Match a route with specific action type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string name: - description: The Route objects generated by default are named as default. + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied within a context. - format: int32 - type: integer - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server port number for which this route configuration was generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object @@ -3743,90 +7275,261 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - name: v1alpha3 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object type: object - servers: - description: A list of server specifications. + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: - description: The ip or the Unix domain socket to which the listener should be bound to. + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - defaultEndpoint: + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: - description: The Port on which the proxy should listen for incoming connections. + description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer - required: - - number - - protocol - - name type: object tls: - description: Set of TLS related options that govern the server's behavior. + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3839,7 +7542,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3848,7 +7554,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3857,7 +7566,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -3890,16 +7602,54 @@ spec: type: object required: - port - - hosts type: object type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - name: v1beta1 @@ -3907,55 +7657,253 @@ spec: openAPIV3Schema: properties: spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object type: object - servers: - description: A list of server specifications. + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: - description: The ip or the Unix domain socket to which the listener should be bound to. + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - defaultEndpoint: + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: - description: The Port on which the proxy should listen for incoming connections. + description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer - required: - - number - - protocol - - name type: object tls: - description: Set of TLS related options that govern the server's behavior. + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3968,7 +7916,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3977,7 +7928,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3986,7 +7940,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -4019,161 +7976,45 @@ spec: type: object required: - port - - hosts type: object type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - knative.dev/crd-install: "true" - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. properties: - imageType: - description: The image type of the image. + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY type: string type: object - selector: - description: Optional. + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: - matchLabels: + labels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object type: object @@ -4195,204 +8036,178 @@ metadata: app: istio-pilot chart: istio heritage: Tiller - istio: security + istio: telemetry release: istio knative.dev/crd-install: "true" - name: requestauthentications.security.istio.io + name: telemetries.telemetry.istio.io spec: - group: security.istio.io + group: telemetry.istio.io names: categories: - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries shortNames: - - ra - singular: requestauthentication + - telemetry + singular: telemetry scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. + accessLogging: + description: Optional. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. + disabled: + description: Controls logging. + nullable: true type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. items: properties: name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. + description: Required. + minLength: 1 type: string required: - name type: object type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. - type: string - required: - - issuer type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: + metrics: description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. + overrides: + description: Optional. items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: properties: name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. + description: Required. + minLength: 1 type: string required: - name type: object type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. + reportingInterval: + description: Optional. type: string - required: - - issuer type: object type: array selector: @@ -4405,7 +8220,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -4420,1327 +8234,1316 @@ spec: description: namespace is the namespace of the referent. type: string type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + targetRefs: + description: Optional. items: properties: - address: - description: Address associated with the network endpoint without the port. + group: + description: group is the group of the target resource. type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. + kind: + description: kind is kind of the target resource. type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. + name: + description: name is the name of the target resource. type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. + namespace: + description: namespace is the namespace of the referent. type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer type: object type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. + tracing: + description: Optional. items: properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer - required: - - number - - name + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + accessLogging: + description: Optional. items: properties: - address: - description: Address associated with the network endpoint without the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer - required: - - number - - name + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + metrics: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: - type: string + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - required: - - hosts + reportingInterval: + description: Optional. + type: string type: object type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + selector: + description: Optional. properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. type: object type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. + group: + description: group is the group of the target resource. type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE + kind: + description: kind is kind of the target resource. type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER type: string - targetPort: - type: integer type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' + allowCredentials: + description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when requesting the resource. items: type: string type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. + allowMethods: + description: List of HTTP methods allowed to access the resource. items: type: string type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + allowOrigin: items: type: string type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are allowed to access. items: type: string type: array + maxAge: + description: Specifies how long the results of a preflight request can be cached. + type: string type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. + delegate: + description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: - description: Label assigned to the port. + description: Name specifies the name of the delegate VirtualService. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. type: string - targetPort: + type: object + directResponse: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer + required: + - status type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. - type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. properties: - http: - description: HTTP connection pool settings. + abort: + description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + exponentialDelay: type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + percent: + description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + type: object + headers: + properties: + request: properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: type: string - maxConnectionDuration: - description: The maximum duration of a connection. + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex properties: - interval: - description: The time duration between keep-alive probes. + exact: type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). type: string type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + host: + description: The name of a service from the service registry. type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array + required: + - host type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - knative.dev/crd-install: "true" - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. + mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true - type: boolean - filter: - description: Optional. + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. properties: - expression: - description: CEL expression for selecting when requests/connections should be logged. - type: string + value: + format: double + type: number type: object - match: - description: Allows tailoring of logging behavior to specific conditions. + mirrors: + description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror operation. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort properties: - mode: - description: This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + authority: + description: On a redirect, overwrite the Authority/Host portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object - providers: - description: Optional. + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + type: string + uri: + description: rewrite the path (or the prefix) portion of the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string type: object type: array - metrics: - description: Optional. + tcp: + description: An ordered list of route rules for opaque TCP traffic. items: properties: - overrides: - description: Optional. + match: + description: Match conditions to be satisfied for the rule to be activated. items: properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' - description: Optional. + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string type: object type: array - providers: - description: Optional. + route: + description: The destination to which the connection should be forwarded to. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - reportingInterval: - description: Optional. - type: string type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - tracing: - description: Optional. + tls: + description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header + match: + description: Match conditions to be satisfied for the rule to be activated. + items: properties: - environment: - description: Environment adds the value of an environment variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from which to extract the tag value. - minLength: 1 - type: string - required: - - name + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object - header: - description: RequestHeader adds the value of an header from the request to each span. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract the tag value. - minLength: 1 + host: + description: The name of a service from the service registry. type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to each span. - properties: - value: - description: The tag value to use. - minLength: 1 + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string required: - - value + - host type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean + required: + - match type: object type: array type: object status: type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways @@ -5874,6 +9677,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6078,6 +9883,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -6210,6 +10017,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6219,9 +10028,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -6245,6 +10058,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6285,16 +10100,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -6355,6 +10177,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6429,6 +10253,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -6456,6 +10282,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6494,6 +10322,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -6526,6 +10356,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6552,7 +10384,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -6688,6 +10520,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6892,6 +10726,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -7024,6 +10860,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7033,9 +10871,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -7059,6 +10901,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7099,16 +10943,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -7169,6 +11020,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7243,6 +11096,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -7270,6 +11125,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7308,6 +11165,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -7340,6 +11199,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7366,7 +11227,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7407,13 +11268,19 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: failStrategy: - description: Specifies the failure behavior for the plugin due to fatal errors. + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN enum: - FAIL_CLOSE - FAIL_OPEN type: string imagePullPolicy: - description: The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always enum: - UNSPECIFIED_POLICY - IfNotPresent @@ -7429,7 +11296,10 @@ spec: items: properties: mode: - description: Criteria for selecting traffic by their direction. + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER enum: - UNDEFINED - CLIENT @@ -7454,7 +11324,10 @@ spec: type: object type: array phase: - description: Determines where in the filter chain this `WasmPlugin` is to be injected. + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS enum: - UNSPECIFIED_PHASE - AUTHN @@ -7472,6 +11345,7 @@ spec: type: string priority: description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 nullable: true type: integer selector: @@ -7488,7 +11362,6 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -7503,8 +11376,29 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: - description: Specifies the type of Wasm Extension to be used. + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK enum: - UNSPECIFIED_PLUGIN_TYPE - HTTP @@ -7536,7 +11430,10 @@ spec: maxLength: 2048 type: string valueFrom: - description: Source for the environment variable's value. + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST enum: - INLINE - HOST @@ -7593,6 +11490,60 @@ spec: singular: workloadentry scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7625,6 +11576,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7633,6 +11586,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7640,7 +11595,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7675,6 +11630,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7683,6 +11640,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7690,7 +11649,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7718,6 +11677,163 @@ spec: singular: workloadgroup scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: '`WorkloadGroup` enables specifying the properties of a single workload for bootstrap and provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties of workloads via `Pod` templates.' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7794,6 +11910,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7818,6 +11936,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7846,6 +11966,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7854,6 +11976,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -7864,7 +11988,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7943,6 +12067,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7967,6 +12093,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7995,6 +12123,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -8003,6 +12133,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -8013,7 +12145,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -8023,9 +12155,6 @@ data: defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 terminationDrainDuration: 20s - tracing: - zipkin: - address: zipkin.istio-system:9411 defaultProviders: metrics: - prometheus @@ -8104,8 +12233,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} + {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -8129,7 +12258,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -8181,7 +12310,7 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ end -}} @@ -8199,14 +12328,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -8297,12 +12426,10 @@ data: - drain {{- end }} env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8501,10 +12628,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8557,7 +12682,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8565,7 +12689,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8657,8 +12780,6 @@ data: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8787,10 +12908,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8827,7 +12946,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8835,7 +12953,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8959,7 +13076,7 @@ data: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { - istio.io/rev: {{ .Revision | default "default" }}, + istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -9008,12 +13125,10 @@ data: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9130,10 +13245,8 @@ data: # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -9204,7 +13317,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9212,7 +13324,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9256,6 +13367,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9288,7 +13407,6 @@ data: (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict - "ambient.istio.io/redirection" "disabled" "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" @@ -9297,6 +13415,7 @@ data: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) @@ -9349,8 +13468,6 @@ data: valueFrom: fieldRef: fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9555,6 +13672,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9603,7 +13728,7 @@ data: "istio.io/gateway-name" .Name ) | nindent 8 }} spec: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} securityContext: sysctls: @@ -9624,7 +13749,7 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 capabilities: drop: @@ -9673,11 +13798,9 @@ data: {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9802,10 +13925,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: @@ -9836,7 +13957,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9844,7 +13964,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9917,7 +14036,6 @@ data: "istiod": { "enableAnalysis": false }, - "jwtPolicy": "third-party-jwt", "logAsJson": false, "logging": { "level": "default:info" @@ -9932,7 +14050,6 @@ data: "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "priorityClassName": "", @@ -9968,7 +14085,7 @@ data: "failureThreshold": 600 }, "statusPort": 15020, - "tracer": "zipkin" + "tracer": "none" }, "proxy_init": { "image": "proxyv2" @@ -9982,12 +14099,19 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.21.1", + "tag": "1.22.1", "variant": "" }, "istio_cni": { "chained": true, - "enabled": false + "enabled": false, + "provider": "default" + }, + "pilot": { + "cni": { + "enabled": false, + "provider": "default" + } }, "revision": "", "sidecarInjectorWebhook": { @@ -10068,8 +14192,6 @@ spec: - --proxyComponentLogLevel=misc:error - --log_output_level=default:info env: - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR @@ -10123,7 +14245,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.21.1 + image: docker.io/istio/proxyv2:1.22.1 name: istio-proxy ports: - containerPort: 15021 @@ -10256,7 +14378,6 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" @@ -10264,6 +14385,7 @@ spec: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot + istio.io/dataplane-mode: none istio.io/rev: default operator.istio.io/component: Pilot sidecar.istio.io/inject: "false" @@ -10280,8 +14402,6 @@ spec: env: - name: REVISION value: default - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME @@ -10317,7 +14437,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.21.1 + image: docker.io/istio/pilot:1.22.1 name: discovery ports: - containerPort: 8080 @@ -10363,6 +14483,9 @@ spec: name: istio-csr-ca-configmap readOnly: true serviceAccountName: istiod + tolerations: + - key: cni.istio.io/not-ready + operator: Exists volumes: - emptyDir: medium: Memory diff --git a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml index a47c28e866..2df9fb12c5 100644 --- a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml @@ -48,6 +48,8 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io + - extensions.istio.io resources: - '*' verbs: @@ -535,10 +537,21 @@ spec: kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies + shortNames: + - ap singular: authorizationpolicy scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: @@ -553,7 +566,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -714,7 +730,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -729,6 +744,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -738,7 +771,16 @@ spec: storage: false subresources: status: {} - - name: v1beta1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: @@ -753,7 +795,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -914,7 +959,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -929,6 +973,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -974,7 +1036,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: properties: @@ -1010,7 +1072,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1067,6 +1132,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1147,16 +1214,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1174,6 +1244,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1202,6 +1274,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1221,6 +1295,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1228,10 +1304,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1259,7 +1339,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1316,6 +1399,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1396,16 +1481,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1423,6 +1511,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1451,6 +1541,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1470,6 +1562,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1477,10 +1571,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1502,6 +1600,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -1510,6 +1610,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1521,7 +1624,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1546,7 +1652,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -1558,6 +1667,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1569,7 +1681,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1599,6 +1714,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -1618,7 +1735,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1675,6 +1795,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1755,16 +1877,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1782,6 +1907,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1810,6 +1937,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1829,6 +1958,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1836,10 +1967,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1867,7 +2002,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1924,6 +2062,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2004,16 +2144,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2031,6 +2174,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2059,6 +2204,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2078,6 +2225,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2085,10 +2234,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2110,6 +2263,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2118,6 +2273,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2129,7 +2287,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2154,7 +2315,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2166,6 +2330,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2177,7 +2344,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2207,6 +2377,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2230,7 +2402,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -2242,7 +2414,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha3 schema: openAPIV3Schema: properties: @@ -2278,7 +2450,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2335,6 +2510,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2415,16 +2592,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2442,6 +2622,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2470,6 +2652,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2489,6 +2673,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2496,10 +2682,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2527,7 +2717,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2584,6 +2777,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2664,16 +2859,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2691,6 +2889,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2719,6 +2919,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2738,6 +2940,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2745,10 +2949,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2770,6 +2978,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2778,6 +2988,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2789,7 +3002,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2814,7 +3030,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2826,6 +3045,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2837,7 +3059,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2867,6 +3092,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2886,7 +3113,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2943,6 +3173,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3023,16 +3255,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3050,6 +3285,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3078,6 +3315,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3097,6 +3336,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3104,10 +3345,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3135,7 +3380,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -3192,6 +3440,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3272,16 +3522,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3299,6 +3552,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3327,6 +3582,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3346,6 +3603,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3353,10 +3612,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3378,6 +3641,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -3386,6 +3651,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3397,7 +3665,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3422,7 +3693,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -3434,6 +3708,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3445,7 +3722,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3475,6 +3755,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -3501,239 +3783,3489 @@ spec: storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: - configPatches: - description: One or more patches with match conditions. + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions of a service. items: properties: - applyTo: - description: Specifies where in the Envoy configuration, the patch should be applied. - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service in the service registry. + type: object + name: + description: Name of the subset. type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. + connectionPool: properties: - filterChain: - description: Match a specific filter chain in a listener. + http: + description: HTTP connection pool settings. properties: - applicationProtocols: - description: Applies only to sidecars. + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 type: integer - filter: - description: The name of a specific filter to apply the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. type: string - sni: - description: The SNI value used by a filter chain's match condition. + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + idleTimeout: + description: The idle timeout for TCP connections. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which traffic is being sent/received. - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. - type: string type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash properties: - gateway: - description: The Istio gateway config's namespace/name for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server port number for which this route configuration was generated. - type: integer - vhost: - description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: - name: - description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. - type: string - route: - description: Match a specific route within the virtual host. + httpCookie: + description: Hash based on HTTP cookie. properties: - action: - description: Match a route with specific action type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string name: - description: The Route objects generated by default are named as default. + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied within a context. - format: int32 - type: integer - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server port number for which this route configuration was generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object @@ -3743,90 +7275,261 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - name: v1alpha3 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object type: object - servers: - description: A list of server specifications. + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: - description: The ip or the Unix domain socket to which the listener should be bound to. + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - defaultEndpoint: + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: - description: The Port on which the proxy should listen for incoming connections. + description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer - required: - - number - - protocol - - name type: object tls: - description: Set of TLS related options that govern the server's behavior. + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3839,7 +7542,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3848,7 +7554,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3857,7 +7566,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -3890,16 +7602,54 @@ spec: type: object required: - port - - hosts type: object type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - name: v1beta1 @@ -3907,55 +7657,253 @@ spec: openAPIV3Schema: properties: spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object type: object - servers: - description: A list of server specifications. + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: - description: The ip or the Unix domain socket to which the listener should be bound to. + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - defaultEndpoint: + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: - description: The Port on which the proxy should listen for incoming connections. + description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer - required: - - number - - protocol - - name type: object tls: - description: Set of TLS related options that govern the server's behavior. + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3968,7 +7916,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3977,7 +7928,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3986,7 +7940,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -4019,161 +7976,45 @@ spec: type: object required: - port - - hosts type: object type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - knative.dev/crd-install: "true" - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. properties: - imageType: - description: The image type of the image. + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY type: string type: object - selector: - description: Optional. + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: - matchLabels: + labels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object type: object @@ -4195,204 +8036,178 @@ metadata: app: istio-pilot chart: istio heritage: Tiller - istio: security + istio: telemetry release: istio knative.dev/crd-install: "true" - name: requestauthentications.security.istio.io + name: telemetries.telemetry.istio.io spec: - group: security.istio.io + group: telemetry.istio.io names: categories: - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries shortNames: - - ra - singular: requestauthentication + - telemetry + singular: telemetry scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. + accessLogging: + description: Optional. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. + disabled: + description: Controls logging. + nullable: true type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. items: properties: name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. + description: Required. + minLength: 1 type: string required: - name type: object type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. - type: string - required: - - issuer type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: + metrics: description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. + overrides: + description: Optional. items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: properties: name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. + description: Required. + minLength: 1 type: string required: - name type: object type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. + reportingInterval: + description: Optional. type: string - required: - - issuer type: object type: array selector: @@ -4405,7 +8220,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -4420,1327 +8234,1316 @@ spec: description: namespace is the namespace of the referent. type: string type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + targetRefs: + description: Optional. items: properties: - address: - description: Address associated with the network endpoint without the port. + group: + description: group is the group of the target resource. type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. + kind: + description: kind is kind of the target resource. type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. + name: + description: name is the name of the target resource. type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. + namespace: + description: namespace is the namespace of the referent. type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer type: object type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. + tracing: + description: Optional. items: properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer - required: - - number - - name + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + accessLogging: + description: Optional. items: properties: - address: - description: Address associated with the network endpoint without the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer - required: - - number - - name + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + metrics: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: - type: string + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - required: - - hosts + reportingInterval: + description: Optional. + type: string type: object type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + selector: + description: Optional. properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. type: object type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. + group: + description: group is the group of the target resource. type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE + kind: + description: kind is kind of the target resource. type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER type: string - targetPort: - type: integer type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' + allowCredentials: + description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when requesting the resource. items: type: string type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. + allowMethods: + description: List of HTTP methods allowed to access the resource. items: type: string type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + allowOrigin: items: type: string type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are allowed to access. items: type: string type: array + maxAge: + description: Specifies how long the results of a preflight request can be cached. + type: string type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. + delegate: + description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: - description: Label assigned to the port. + description: Name specifies the name of the delegate VirtualService. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. type: string - targetPort: + type: object + directResponse: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer + required: + - status type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. - type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. properties: - http: - description: HTTP connection pool settings. + abort: + description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + exponentialDelay: type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + percent: + description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + type: object + headers: + properties: + request: properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: type: string - maxConnectionDuration: - description: The maximum duration of a connection. + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex properties: - interval: - description: The time duration between keep-alive probes. + exact: type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). type: string type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + host: + description: The name of a service from the service registry. type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array + required: + - host type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - knative.dev/crd-install: "true" - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. + mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true - type: boolean - filter: - description: Optional. + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. properties: - expression: - description: CEL expression for selecting when requests/connections should be logged. - type: string + value: + format: double + type: number type: object - match: - description: Allows tailoring of logging behavior to specific conditions. + mirrors: + description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror operation. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort properties: - mode: - description: This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + authority: + description: On a redirect, overwrite the Authority/Host portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object - providers: - description: Optional. + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + type: string + uri: + description: rewrite the path (or the prefix) portion of the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string type: object type: array - metrics: - description: Optional. + tcp: + description: An ordered list of route rules for opaque TCP traffic. items: properties: - overrides: - description: Optional. + match: + description: Match conditions to be satisfied for the rule to be activated. items: properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' - description: Optional. + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string type: object type: array - providers: - description: Optional. + route: + description: The destination to which the connection should be forwarded to. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - reportingInterval: - description: Optional. - type: string type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - tracing: - description: Optional. + tls: + description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header + match: + description: Match conditions to be satisfied for the rule to be activated. + items: properties: - environment: - description: Environment adds the value of an environment variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from which to extract the tag value. - minLength: 1 - type: string - required: - - name + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object - header: - description: RequestHeader adds the value of an header from the request to each span. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract the tag value. - minLength: 1 + host: + description: The name of a service from the service registry. type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to each span. - properties: - value: - description: The tag value to use. - minLength: 1 + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string required: - - value + - host type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean + required: + - match type: object type: array type: object status: type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways @@ -5874,6 +9677,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6078,6 +9883,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -6210,6 +10017,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6219,9 +10028,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -6245,6 +10058,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6285,16 +10100,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -6355,6 +10177,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6429,6 +10253,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -6456,6 +10282,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6494,6 +10322,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -6526,6 +10356,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6552,7 +10384,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -6688,6 +10520,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6892,6 +10726,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -7024,6 +10860,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7033,9 +10871,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -7059,6 +10901,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7099,16 +10943,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -7169,6 +11020,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7243,6 +11096,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -7270,6 +11125,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7308,6 +11165,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -7340,6 +11199,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7366,7 +11227,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7407,13 +11268,19 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: failStrategy: - description: Specifies the failure behavior for the plugin due to fatal errors. + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN enum: - FAIL_CLOSE - FAIL_OPEN type: string imagePullPolicy: - description: The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always enum: - UNSPECIFIED_POLICY - IfNotPresent @@ -7429,7 +11296,10 @@ spec: items: properties: mode: - description: Criteria for selecting traffic by their direction. + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER enum: - UNDEFINED - CLIENT @@ -7454,7 +11324,10 @@ spec: type: object type: array phase: - description: Determines where in the filter chain this `WasmPlugin` is to be injected. + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS enum: - UNSPECIFIED_PHASE - AUTHN @@ -7472,6 +11345,7 @@ spec: type: string priority: description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 nullable: true type: integer selector: @@ -7488,7 +11362,6 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -7503,8 +11376,29 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: - description: Specifies the type of Wasm Extension to be used. + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK enum: - UNSPECIFIED_PLUGIN_TYPE - HTTP @@ -7536,7 +11430,10 @@ spec: maxLength: 2048 type: string valueFrom: - description: Source for the environment variable's value. + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST enum: - INLINE - HOST @@ -7593,6 +11490,60 @@ spec: singular: workloadentry scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7625,6 +11576,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7633,6 +11586,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7640,7 +11595,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7675,6 +11630,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7683,6 +11640,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7690,7 +11649,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7718,6 +11677,163 @@ spec: singular: workloadgroup scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: '`WorkloadGroup` enables specifying the properties of a single workload for bootstrap and provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties of workloads via `Pod` templates.' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7794,6 +11910,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7818,6 +11936,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7846,6 +11966,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7854,6 +11976,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -7864,7 +11988,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7943,6 +12067,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7967,6 +12093,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7995,6 +12123,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -8003,6 +12133,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -8013,7 +12145,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -8023,9 +12155,6 @@ data: defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 terminationDrainDuration: 20s - tracing: - zipkin: - address: zipkin.istio-system:9411 defaultProviders: metrics: - prometheus @@ -8104,8 +12233,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} + {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -8129,7 +12258,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -8181,7 +12310,7 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ end -}} @@ -8199,14 +12328,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -8297,12 +12426,10 @@ data: - drain {{- end }} env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8501,10 +12628,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8557,7 +12682,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8565,7 +12689,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8657,8 +12780,6 @@ data: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8787,10 +12908,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8827,7 +12946,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8835,7 +12953,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8959,7 +13076,7 @@ data: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { - istio.io/rev: {{ .Revision | default "default" }}, + istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -9008,12 +13125,10 @@ data: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9130,10 +13245,8 @@ data: # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -9204,7 +13317,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9212,7 +13324,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9256,6 +13367,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9288,7 +13407,6 @@ data: (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict - "ambient.istio.io/redirection" "disabled" "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" @@ -9297,6 +13415,7 @@ data: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) @@ -9349,8 +13468,6 @@ data: valueFrom: fieldRef: fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9555,6 +13672,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9603,7 +13728,7 @@ data: "istio.io/gateway-name" .Name ) | nindent 8 }} spec: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} securityContext: sysctls: @@ -9624,7 +13749,7 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 capabilities: drop: @@ -9673,11 +13798,9 @@ data: {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9802,10 +13925,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: @@ -9836,7 +13957,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9844,7 +13964,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9917,7 +14036,6 @@ data: "istiod": { "enableAnalysis": false }, - "jwtPolicy": "third-party-jwt", "logAsJson": false, "logging": { "level": "default:info" @@ -9932,7 +14050,6 @@ data: "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "priorityClassName": "", @@ -9968,7 +14085,7 @@ data: "failureThreshold": 600 }, "statusPort": 15020, - "tracer": "zipkin" + "tracer": "none" }, "proxy_init": { "image": "proxyv2" @@ -9982,12 +14099,19 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.21.1", + "tag": "1.22.1", "variant": "" }, "istio_cni": { "chained": true, - "enabled": false + "enabled": false, + "provider": "default" + }, + "pilot": { + "cni": { + "enabled": false, + "provider": "default" + } }, "revision": "", "sidecarInjectorWebhook": { @@ -10068,8 +14192,6 @@ spec: - --proxyComponentLogLevel=misc:error - --log_output_level=default:info env: - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR @@ -10123,7 +14245,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.21.1 + image: docker.io/istio/proxyv2:1.22.1 name: istio-proxy ports: - containerPort: 15021 @@ -10256,7 +14378,6 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" @@ -10264,6 +14385,7 @@ spec: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot + istio.io/dataplane-mode: none istio.io/rev: default operator.istio.io/component: Pilot sidecar.istio.io/inject: "false" @@ -10280,8 +14402,6 @@ spec: env: - name: REVISION value: default - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME @@ -10317,7 +14437,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.21.1 + image: docker.io/istio/pilot:1.22.1 name: discovery ports: - containerPort: 8080 @@ -10363,6 +14483,9 @@ spec: name: istio-csr-ca-configmap readOnly: true serviceAccountName: istiod + tolerations: + - key: cni.istio.io/not-ready + operator: Exists volumes: - emptyDir: medium: Memory diff --git a/third_party/istio-latest/istio-kind-ambient/istio.yaml b/third_party/istio-latest/istio-kind-ambient/istio.yaml index 7e049d9863..1b54769855 100644 --- a/third_party/istio-latest/istio-kind-ambient/istio.yaml +++ b/third_party/istio-latest/istio-kind-ambient/istio.yaml @@ -136,6 +136,8 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io + - extensions.istio.io resources: - '*' verbs: @@ -678,10 +680,21 @@ spec: kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies + shortNames: + - ap singular: authorizationpolicy scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: @@ -696,7 +709,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -857,7 +873,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -872,6 +887,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -881,7 +914,16 @@ spec: storage: false subresources: status: {} - - name: v1beta1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: @@ -896,7 +938,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -1057,7 +1102,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -1072,6 +1116,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -1117,7 +1179,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: properties: @@ -1153,7 +1215,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1210,6 +1275,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1290,16 +1357,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1317,6 +1387,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1345,6 +1417,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1364,6 +1438,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1371,10 +1447,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1402,7 +1482,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1459,6 +1542,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1539,16 +1624,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1566,6 +1654,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1594,6 +1684,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1613,6 +1705,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1620,10 +1714,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1645,6 +1743,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -1653,6 +1753,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1664,7 +1767,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1689,7 +1795,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -1701,6 +1810,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1712,7 +1824,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1742,6 +1857,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -1761,7 +1878,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1818,6 +1938,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1898,16 +2020,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1925,6 +2050,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1953,6 +2080,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1972,6 +2101,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1979,10 +2110,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2010,7 +2145,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2067,6 +2205,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2147,16 +2287,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2174,6 +2317,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2202,6 +2347,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2221,6 +2368,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2228,10 +2377,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2253,6 +2406,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2261,6 +2416,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2272,7 +2430,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2297,7 +2458,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2309,6 +2473,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2320,7 +2487,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2350,6 +2520,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2373,7 +2545,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -2385,7 +2557,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha3 schema: openAPIV3Schema: properties: @@ -2421,7 +2593,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2478,6 +2653,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2558,16 +2735,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2585,6 +2765,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2613,6 +2795,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2632,6 +2816,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2639,10 +2825,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2670,7 +2860,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2727,6 +2920,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2807,16 +3002,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2834,6 +3032,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2862,6 +3062,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2881,6 +3083,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2888,10 +3092,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2913,6 +3121,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2921,6 +3131,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2932,7 +3145,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2957,7 +3173,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2969,6 +3188,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2980,7 +3202,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3010,6 +3235,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -3029,7 +3256,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -3086,6 +3316,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3166,16 +3398,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3193,6 +3428,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3221,6 +3458,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3240,6 +3479,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3247,10 +3488,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3278,7 +3523,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -3335,6 +3583,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3415,16 +3665,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3442,6 +3695,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3470,6 +3725,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3489,6 +3746,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3496,10 +3755,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3521,6 +3784,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -3529,6 +3794,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3540,7 +3808,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3565,7 +3836,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -3577,6 +3851,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3588,7 +3865,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3618,6 +3898,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -3644,239 +3926,1658 @@ spec: storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: - configPatches: - description: One or more patches with match conditions. + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions of a service. items: properties: - applyTo: - description: Specifies where in the Envoy configuration, the patch should be applied. - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service in the service registry. + type: object + name: + description: Name of the subset. type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. + connectionPool: properties: - filterChain: - description: Match a specific filter chain in a listener. + http: + description: HTTP connection pool settings. properties: - applicationProtocols: - description: Applies only to sidecars. + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 type: integer - filter: - description: The name of a specific filter to apply the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. type: string - sni: - description: The SNI value used by a filter chain's match condition. + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + idleTimeout: + description: The idle timeout for TCP connections. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which traffic is being sent/received. - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. - type: string type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash properties: - gateway: - description: The Istio gateway config's namespace/name for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server port number for which this route configuration was generated. - type: integer - vhost: - description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: - name: - description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. - type: string - route: - description: Match a specific route within the virtual host. + httpCookie: + description: Hash based on HTTP cookie. properties: - action: - description: Match a route with specific action type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string name: - description: The Route objects generated by default are named as default. + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied within a context. - format: int32 - type: integer - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server port number for which this route configuration was generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object @@ -3886,36 +5587,181 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - name: v1alpha3 schema: openAPIV3Schema: @@ -3953,11 +5799,15 @@ spec: type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer required: - number @@ -3970,6 +5820,9 @@ spec: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3982,7 +5835,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3991,7 +5847,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -4000,7 +5859,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -4042,7 +5904,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - name: v1beta1 @@ -4082,11 +5944,15 @@ spec: type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer required: - number @@ -4099,6 +5965,9 @@ spec: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -4111,7 +5980,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -4120,7 +5992,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -4129,7 +6004,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -4171,7 +6049,234 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true subresources: status: {} --- @@ -4187,72 +6292,268 @@ metadata: istio: security release: istio knative.dev/crd-install: "true" - name: peerauthentications.security.istio.io + name: requestauthentications.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications shortNames: - - pa - singular: peerauthentication + - ra + singular: requestauthentication scope: Namespaced versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 + - name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' properties: - mtls: - description: Mutual TLS settings for workload. + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. type: string type: object - portLevelMtls: - additionalProperties: + targetRefs: + description: Optional. + items: properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. type: string type: object - description: Port specific mutual TLS settings. - type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array selector: - description: The selector determines the workloads to apply the PeerAuthentication on. + description: Optional. properties: matchLabels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -4274,51 +6575,444 @@ metadata: heritage: Tiller release: istio knative.dev/crd-install: "true" - name: proxyconfigs.networking.istio.io + name: serviceentries.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry scope: Namespaced versions: - - name: v1beta1 + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: + addresses: + description: The virtual IP addresses associated with the service. + items: type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. properties: - matchLabels: + labels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object + required: + - hosts type: object status: type: object @@ -4338,22 +7032,19 @@ metadata: app: istio-pilot chart: istio heritage: Tiller - istio: security release: istio knative.dev/crd-install: "true" - name: requestauthentications.security.istio.io + name: sidecars.networking.istio.io spec: - group: security.istio.io + group: networking.istio.io names: categories: - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar scope: Namespaced versions: - name: v1 @@ -4361,100 +7052,366 @@ spec: openAPIV3Schema: properties: spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. items: type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: - name: - description: The HTTP header name. + interval: + description: The time duration between keep-alive probes. type: string - prefix: - description: The prefix that should be stripped before decoding the token. + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string - required: - - name type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: type: string - header: - description: The name of the header to be created. + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. - type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object required: - - issuer + - port type: object type: array - selector: - description: Optional. + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: - matchLabels: + labels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object type: object status: type: object @@ -4464,253 +7421,364 @@ spec: storage: false subresources: status: {} - - name: v1beta1 + - name: v1alpha3 schema: openAPIV3Schema: properties: spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object + type: string type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. - type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object required: - - issuer + - hosts type: object type: array - selector: - description: Optional. + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without the port. - type: string - labels: - additionalProperties: + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. - type: string - ports: - additionalProperties: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: - name: - description: Label assigned to the port. + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object required: - - number - - name + - port type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object workloadSelector: - description: Applicable only for MESH_INTERNAL services. + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: @@ -4718,129 +7786,373 @@ spec: description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object - required: - - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 + - name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. items: properties: - address: - description: Address associated with the network endpoint without the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer + required: + - hosts type: object type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: - name: - description: Label assigned to the port. + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object required: - - number - - name + - port type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object workloadSelector: - description: Applicable only for MESH_INTERNAL services. + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: @@ -4848,15 +8160,13 @@ spec: description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object - required: - - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -4869,346 +8179,635 @@ metadata: app: istio-pilot chart: istio heritage: Tiller + istio: telemetry release: istio knative.dev/crd-install: "true" - name: sidecars.networking.istio.io + name: telemetries.telemetry.istio.io spec: - group: networking.istio.io + group: telemetry.istio.io names: categories: - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry scope: Namespaced versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + accessLogging: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: - type: string + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - required: - - hosts + reportingInterval: + description: Optional. + type: string type: object type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + selector: + description: Optional. properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. type: object type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. + group: + description: group is the group of the target resource. type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE + kind: + description: kind is kind of the target resource. type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER type: string - targetPort: - type: integer type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' - items: + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. type: string + type: object + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + - CLIENT_AND_SERVER + - CLIENT + - SERVER type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. - items: + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. - items: + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 type: string - type: array - type: object - required: - - port + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string type: object type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + selector: + description: Optional. properties: - labels: + matchLabels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. type: object type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array type: object status: type: object @@ -5218,634 +8817,865 @@ spec: storage: true subresources: status: {} - - name: v1beta1 +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. items: properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight request can be cached. + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: - description: Label assigned to the port. + description: Name specifies the name of the delegate VirtualService. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. type: string - targetPort: + type: object + directResponse: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer + required: + - status type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. - type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. properties: - http: - description: HTTP connection pool settings. + abort: + description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + exponentialDelay: type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + percent: + description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + type: object + headers: + properties: + request: properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: type: string - maxConnectionDuration: - description: The maximum duration of a connection. + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex properties: - interval: - description: The time duration between keep-alive probes. + exact: type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). type: string type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + host: + description: The name of a service from the service registry. type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array + required: + - host type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - knative.dev/crd-install: "true" - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. + mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true - type: boolean - filter: - description: Optional. + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror operation. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort properties: - expression: - description: CEL expression for selecting when requests/connections should be logged. + authority: + description: On a redirect, overwrite the Authority/Host portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object - match: - description: Allows tailoring of logging behavior to specific conditions. + retries: + description: Retry policy for HTTP requests. properties: - mode: - description: This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean type: object - providers: - description: Optional. + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + type: string + uri: + description: rewrite the path (or the prefix) portion of the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string type: object type: array - metrics: - description: Optional. + tcp: + description: An ordered list of route rules for opaque TCP traffic. items: properties: - overrides: - description: Optional. + match: + description: Match conditions to be satisfied for the rule to be activated. items: properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' - description: Optional. + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string type: object type: array - providers: - description: Optional. + route: + description: The destination to which the connection should be forwarded to. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - reportingInterval: - description: Optional. - type: string type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - tracing: - description: Optional. + tls: + description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header + match: + description: Match conditions to be satisfied for the rule to be activated. + items: properties: - environment: - description: Environment adds the value of an environment variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from which to extract the tag value. - minLength: 1 - type: string - required: - - name + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object - header: - description: RequestHeader adds the value of an header from the request to each span. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract the tag value. - minLength: 1 + host: + description: The name of a service from the service registry. type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to each span. - properties: - value: - description: The tag value to use. - minLength: 1 + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string required: - - value + - host type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean + required: + - match type: object type: array type: object @@ -5854,36 +9684,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways @@ -6017,6 +9820,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6221,6 +10026,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -6353,6 +10160,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6362,9 +10171,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -6388,6 +10201,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6428,16 +10243,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -6498,6 +10320,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6572,6 +10396,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -6599,6 +10425,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6637,6 +10465,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -6669,6 +10499,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6695,7 +10527,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -6831,6 +10663,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -7035,6 +10869,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -7167,6 +11003,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7176,9 +11014,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -7202,6 +11044,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7242,16 +11086,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -7312,6 +11163,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7386,6 +11239,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -7413,6 +11268,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7451,6 +11308,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -7483,6 +11342,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7509,7 +11370,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7550,13 +11411,19 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: failStrategy: - description: Specifies the failure behavior for the plugin due to fatal errors. + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN enum: - FAIL_CLOSE - FAIL_OPEN type: string imagePullPolicy: - description: The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always enum: - UNSPECIFIED_POLICY - IfNotPresent @@ -7572,7 +11439,10 @@ spec: items: properties: mode: - description: Criteria for selecting traffic by their direction. + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER enum: - UNDEFINED - CLIENT @@ -7597,7 +11467,10 @@ spec: type: object type: array phase: - description: Determines where in the filter chain this `WasmPlugin` is to be injected. + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS enum: - UNSPECIFIED_PHASE - AUTHN @@ -7615,6 +11488,7 @@ spec: type: string priority: description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 nullable: true type: integer selector: @@ -7631,7 +11505,6 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -7646,8 +11519,29 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: - description: Specifies the type of Wasm Extension to be used. + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK enum: - UNSPECIFIED_PLUGIN_TYPE - HTTP @@ -7679,7 +11573,10 @@ spec: maxLength: 2048 type: string valueFrom: - description: Source for the environment variable's value. + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST enum: - INLINE - HOST @@ -7736,6 +11633,60 @@ spec: singular: workloadentry scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7768,6 +11719,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7776,6 +11729,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7783,7 +11738,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7818,6 +11773,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7826,6 +11783,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7833,7 +11792,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7861,6 +11820,163 @@ spec: singular: workloadgroup scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: '`WorkloadGroup` enables specifying the properties of a single workload for bootstrap and provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties of workloads via `Pod` templates.' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7937,6 +12053,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7961,6 +12079,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7989,6 +12109,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7997,6 +12119,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -8007,7 +12131,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -8086,6 +12210,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -8110,6 +12236,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -8138,6 +12266,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -8146,6 +12276,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -8156,7 +12288,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -8165,11 +12297,10 @@ data: mesh: |- defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 + image: + imageType: distroless proxyMetadata: ISTIO_META_ENABLE_HBONE: "true" - tracing: - zipkin: - address: zipkin.istio-system:9411 defaultProviders: metrics: - prometheus @@ -8194,7 +12325,7 @@ data: "cniVersion": "0.3.1", "name": "istio-cni", "type": "istio-cni", - "log_level": "info", + "log_level": "debug", "log_uds_address": "__LOG_UDS_ADDRESS__", "ambient_enabled": true, "cni_event_address": "__CNI_EVENT_ADDRESS__", @@ -8276,8 +12407,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} + {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -8301,7 +12432,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -8353,7 +12484,7 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ end -}} @@ -8371,14 +12502,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -8469,12 +12600,10 @@ data: - drain {{- end }} env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8673,10 +12802,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8729,7 +12856,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8737,7 +12863,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8829,8 +12954,6 @@ data: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8959,10 +13082,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8999,7 +13120,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9007,7 +13127,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9131,7 +13250,7 @@ data: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { - istio.io/rev: {{ .Revision | default "default" }}, + istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -9180,12 +13299,10 @@ data: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9302,10 +13419,8 @@ data: # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -9376,7 +13491,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9384,7 +13498,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9428,6 +13541,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9460,7 +13581,6 @@ data: (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict - "ambient.istio.io/redirection" "disabled" "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" @@ -9469,6 +13589,7 @@ data: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) @@ -9521,8 +13642,6 @@ data: valueFrom: fieldRef: fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9727,6 +13846,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9775,7 +13902,7 @@ data: "istio.io/gateway-name" .Name ) | nindent 8 }} spec: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} securityContext: sysctls: @@ -9796,7 +13923,7 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 capabilities: drop: @@ -9845,11 +13972,9 @@ data: {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9974,10 +14099,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: @@ -10008,7 +14131,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -10016,7 +14138,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -10089,7 +14210,6 @@ data: "istiod": { "enableAnalysis": false }, - "jwtPolicy": "third-party-jwt", "logAsJson": false, "logging": { "level": "default:info" @@ -10104,7 +14224,6 @@ data: "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "priorityClassName": "", @@ -10140,7 +14259,7 @@ data: "failureThreshold": 600 }, "statusPort": 15020, - "tracer": "zipkin" + "tracer": "none" }, "proxy_init": { "image": "proxyv2" @@ -10154,12 +14273,19 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.21.1", - "variant": "" + "tag": "1.22.1", + "variant": "distroless" }, "istio_cni": { "chained": true, - "enabled": true + "enabled": true, + "provider": "default" + }, + "pilot": { + "cni": { + "enabled": false, + "provider": "default" + } }, "revision": "", "sidecarInjectorWebhook": { @@ -10240,8 +14366,6 @@ spec: - --proxyComponentLogLevel=misc:error - --log_output_level=default:info env: - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR @@ -10297,7 +14421,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.21.1 + image: docker.io/istio/proxyv2:1.22.1-distroless name: istio-proxy ports: - containerPort: 15021 @@ -10430,7 +14554,6 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" @@ -10438,6 +14561,7 @@ spec: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot + istio.io/dataplane-mode: none istio.io/rev: default operator.istio.io/component: Pilot sidecar.istio.io/inject: "false" @@ -10454,8 +14578,6 @@ spec: env: - name: REVISION value: default - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME @@ -10477,13 +14599,7 @@ spec: value: /var/run/secrets/remote/config - name: CA_TRUSTED_NODE_ACCOUNTS value: istio-system/ztunnel,kube-system/ztunnel - - name: ENABLE_AUTO_SNI - value: "true" - - name: PILOT_ENABLE_AMBIENT_CONTROLLERS - value: "true" - - name: PILOT_ENABLE_HBONE - value: "true" - - name: VERIFY_CERTIFICATE_AT_CLIENT + - name: PILOT_ENABLE_AMBIENT value: "true" - name: PILOT_TRACE_SAMPLING value: "1" @@ -10501,7 +14617,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.21.1-distroless + image: docker.io/istio/pilot:1.22.1-distroless name: discovery ports: - containerPort: 8080 @@ -10547,6 +14663,9 @@ spec: name: istio-csr-ca-configmap readOnly: true serviceAccountName: istiod + tolerations: + - key: cni.istio.io/not-ready + operator: Exists volumes: - emptyDir: medium: Memory @@ -10918,12 +15037,12 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/path: /metrics prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: + istio.io/dataplane-mode: none k8s-app: istio-cni-node sidecar.istio.io/inject: "false" spec: @@ -10972,7 +15091,7 @@ spec: apiVersion: v1 fieldPath: spec.nodeName - name: LOG_LEVEL - value: info + value: debug - name: AMBIENT_ENABLED value: "true" - name: GOMEMLIMIT @@ -10983,7 +15102,7 @@ spec: valueFrom: resourceFieldRef: resource: limits.cpu - image: docker.io/istio/install-cni:1.21.1 + image: docker.io/istio/install-cni:1.22.1-distroless name: install-cni readinessProbe: httpGet: @@ -10997,8 +15116,8 @@ spec: capabilities: add: - NET_ADMIN - - SYS_ADMIN - NET_RAW + - SYS_ADMIN drop: - ALL privileged: true @@ -11074,12 +15193,12 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" labels: app: ztunnel + istio.io/dataplane-mode: none sidecar.istio.io/inject: "false" spec: containers: @@ -11119,7 +15238,9 @@ spec: valueFrom: fieldRef: fieldPath: spec.serviceAccountName - image: docker.io/istio/ztunnel:1.21.1 + - name: ISTIO_META_ENABLE_HBONE + value: "true" + image: docker.io/istio/ztunnel:1.22.1-distroless name: istio-proxy ports: - containerPort: 15020 @@ -11131,8 +15252,8 @@ spec: port: 15021 resources: requests: - cpu: 500m - memory: 2048Mi + cpu: 200m + memory: 512Mi securityContext: allowPrivilegeEscalation: false capabilities: @@ -11154,6 +15275,8 @@ spec: name: istio-token - mountPath: /var/run/ztunnel name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical @@ -11181,6 +15304,8 @@ spec: path: /var/run/ztunnel type: DirectoryOrCreate name: cni-ztunnel-sock-dir + - emptyDir: {} + name: tmp updateStrategy: rollingUpdate: maxSurge: 1 diff --git a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml index 4d8d0eeccf..dcaf1b72da 100644 --- a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml @@ -48,6 +48,8 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io + - extensions.istio.io resources: - '*' verbs: @@ -535,10 +537,21 @@ spec: kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies + shortNames: + - ap singular: authorizationpolicy scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: @@ -553,7 +566,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -714,7 +730,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -729,6 +744,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -738,7 +771,16 @@ spec: storage: false subresources: status: {} - - name: v1beta1 + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: @@ -753,7 +795,10 @@ spec: - provider properties: action: - description: Optional. + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY @@ -914,7 +959,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -929,6 +973,24 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: object status: type: object @@ -974,7 +1036,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha3 + name: v1 schema: openAPIV3Schema: properties: @@ -1010,7 +1072,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1067,6 +1132,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1147,16 +1214,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1174,6 +1244,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1202,6 +1274,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1221,6 +1295,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1228,10 +1304,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1259,7 +1339,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1316,6 +1399,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1396,16 +1481,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1423,6 +1511,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1451,6 +1541,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1470,6 +1562,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1477,10 +1571,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1502,6 +1600,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -1510,6 +1610,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1521,7 +1624,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1546,7 +1652,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -1558,6 +1667,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -1569,7 +1681,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -1599,6 +1714,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -1618,7 +1735,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1675,6 +1795,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -1755,16 +1877,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -1782,6 +1907,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -1810,6 +1937,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -1829,6 +1958,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -1836,10 +1967,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -1867,7 +2002,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -1924,6 +2062,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2004,16 +2144,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2031,6 +2174,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2059,6 +2204,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2078,6 +2225,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2085,10 +2234,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2110,6 +2263,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2118,6 +2273,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2129,7 +2287,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2154,7 +2315,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2166,6 +2330,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2177,7 +2344,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2207,6 +2377,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2230,7 +2402,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -2242,7 +2414,7 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha3 schema: openAPIV3Schema: properties: @@ -2278,7 +2450,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2335,6 +2510,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2415,16 +2592,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2442,6 +2622,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2470,6 +2652,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2489,6 +2673,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2496,10 +2682,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2527,7 +2717,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2584,6 +2777,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -2664,16 +2859,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -2691,6 +2889,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -2719,6 +2919,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -2738,6 +2940,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -2745,10 +2949,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -2770,6 +2978,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -2778,6 +2988,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2789,7 +3002,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2814,7 +3030,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -2826,6 +3045,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -2837,7 +3059,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -2867,6 +3092,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -2886,7 +3113,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -2943,6 +3173,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3023,16 +3255,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3050,6 +3285,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3078,6 +3315,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3097,6 +3336,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3104,10 +3345,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3135,7 +3380,10 @@ spec: description: HTTP connection pool settings. properties: h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE enum: - DEFAULT - DO_NOT_UPGRADE @@ -3192,6 +3440,8 @@ spec: type: string probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 type: integer time: description: The time duration a connection needs to be idle before keep-alive probes start being sent. @@ -3272,16 +3522,19 @@ spec: properties: tableSize: description: The table size for Maglev hashing. + minimum: 0 type: integer type: object minimumRingSize: description: Deprecated. + minimum: 0 type: integer ringHash: description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. properties: minimumRingSize: description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 type: integer type: object useSourceIp: @@ -3299,6 +3552,8 @@ spec: type: string to: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Map of upstream localities to traffic distribution weights. type: object @@ -3327,6 +3582,8 @@ spec: type: array type: object simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST enum: - UNSPECIFIED - LEAST_CONN @@ -3346,6 +3603,8 @@ spec: type: string consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveErrors: @@ -3353,10 +3612,14 @@ spec: type: integer consecutiveGatewayErrors: description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 nullable: true type: integer consecutiveLocalOriginFailures: description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 nullable: true type: integer interval: @@ -3378,6 +3641,8 @@ spec: description: Specifies the number of a port on the destination service on which this policy is being applied. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object tls: @@ -3386,6 +3651,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3397,7 +3665,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3422,7 +3693,10 @@ spec: description: The upstream PROXY protocol settings. properties: version: - description: The PROXY protocol version to use. + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 enum: - V1 - V2 @@ -3434,6 +3708,9 @@ spec: caCertificates: description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string @@ -3445,7 +3722,10 @@ spec: nullable: true type: boolean mode: - description: Indicates whether connections to this port should be secured using TLS. + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL enum: - DISABLE - SIMPLE @@ -3475,6 +3755,8 @@ spec: type: string targetPort: description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 type: integer required: - targetHost @@ -3501,239 +3783,3489 @@ spec: storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 schema: openAPIV3Schema: properties: spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' properties: - configPatches: - description: One or more patches with match conditions. + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions of a service. items: properties: - applyTo: - description: Specifies where in the Envoy configuration, the patch should be applied. - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service in the service registry. + type: object + name: + description: Name of the subset. type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. + connectionPool: properties: - filterChain: - description: Match a specific filter chain in a listener. + http: + description: HTTP connection pool settings. properties: - applicationProtocols: - description: Applies only to sidecars. + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 type: integer - filter: - description: The name of a specific filter to apply the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. type: string - sni: - description: The SNI value used by a filter chain's match condition. + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + idleTimeout: + description: The idle timeout for TCP connections. type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which traffic is being sent/received. - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. - type: string type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash properties: - gateway: - description: The Istio gateway config's namespace/name for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server port number for which this route configuration was generated. - type: integer - vhost: - description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: - name: - description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. - type: string - route: - description: Match a specific route within the virtual host. + httpCookie: + description: Hash based on HTTP cookie. properties: - action: - description: Match a route with specific action type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string name: - description: The Route objects generated by default are named as default. + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied within a context. - format: int32 - type: integer - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |- + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server port number for which this route configuration was generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated by Istio are named as host:port, where the host typically corresponds to the VirtualService's host field or the hostname of a service in the registry. + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + knative.dev/crd-install: "true" + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object @@ -3743,90 +7275,261 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - name: v1alpha3 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object type: object - servers: - description: A list of server specifications. + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: - description: The ip or the Unix domain socket to which the listener should be bound to. + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - defaultEndpoint: + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: - description: The Port on which the proxy should listen for incoming connections. + description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer - required: - - number - - protocol - - name type: object tls: - description: Set of TLS related options that govern the server's behavior. + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3839,7 +7542,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3848,7 +7554,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3857,7 +7566,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -3890,16 +7602,54 @@ spec: type: object required: - port - - hosts type: object type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + type: object + type: object type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - name: v1beta1 @@ -3907,55 +7657,253 @@ spec: openAPIV3Schema: properties: spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. + egress: + description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object type: object - servers: - description: A list of server specifications. + ingress: + description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. items: properties: bind: - description: The ip or the Unix domain socket to which the listener should be bound to. + description: The IP(IPv4 or IPv6) to which the listener should be bound. type: string - defaultEndpoint: + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + connectionPool: + description: Settings controlling the volume of connections Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. type: string port: - description: The Port on which the proxy should listen for incoming connections. + description: The port associated with the listener. properties: name: description: Label assigned to the port. type: string number: description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 type: integer protocol: description: The protocol exposed on the port. type: string targetPort: + maximum: 4294967295 + minimum: 0 type: integer - required: - - number - - protocol - - name type: object tls: - description: Set of TLS related options that govern the server's behavior. + description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate.' + type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: @@ -3968,7 +7916,10 @@ spec: description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. type: boolean maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3977,7 +7928,10 @@ spec: - TLSV1_3 type: string minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 enum: - TLS_AUTO - TLSV1_0 @@ -3986,7 +7940,10 @@ spec: - TLSV1_3 type: string mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL enum: - PASSTHROUGH - SIMPLE @@ -4019,161 +7976,45 @@ spec: type: object required: - port - - hosts type: object type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - knative.dev/crd-install: "true" - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. properties: - imageType: - description: The image type of the image. + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |- + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY type: string type: object - selector: - description: Optional. + workloadSelector: + description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. properties: - matchLabels: + labels: additionalProperties: type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. type: object type: object type: object @@ -4195,204 +8036,178 @@ metadata: app: istio-pilot chart: istio heritage: Tiller - istio: security + istio: telemetry release: istio knative.dev/crd-install: "true" - name: requestauthentications.security.istio.io + name: telemetries.telemetry.istio.io spec: - group: security.istio.io + group: telemetry.istio.io names: categories: - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries shortNames: - - ra - singular: requestauthentication + - telemetry + singular: telemetry scope: Namespaced versions: - - name: v1 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. + accessLogging: + description: Optional. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. + disabled: + description: Controls logging. + nullable: true type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. items: properties: name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. + description: Required. + minLength: 1 type: string required: - name type: object type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. - type: string - required: - - issuer type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: + metrics: description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. items: properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. + overrides: + description: Optional. items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: properties: name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before decoding the token. + description: Required. + minLength: 1 type: string required: - name type: object type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output a successfully verified JWT payload to the backend. + reportingInterval: + description: Optional. type: string - required: - - issuer type: object type: array selector: @@ -4405,7 +8220,6 @@ spec: type: object type: object targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -4420,1327 +8234,1316 @@ spec: description: namespace is the namespace of the referent. type: string type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + targetRefs: + description: Optional. items: properties: - address: - description: Address associated with the network endpoint without the port. + group: + description: group is the group of the target resource. type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. + kind: + description: kind is kind of the target resource. type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. + name: + description: name is the name of the target resource. type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. + namespace: + description: namespace is the namespace of the referent. type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer type: object type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. + tracing: + description: Optional. items: properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer - required: - - number - - name + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts type: object status: type: object x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1beta1 + name: v1alpha1 schema: openAPIV3Schema: properties: spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. + accessLogging: + description: Optional. items: properties: - address: - description: Address associated with the network endpoint without the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections should be logged. + type: string type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + match: + description: Allows tailoring of logging behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string type: object - serviceAccount: - description: The service account associated with the workload if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic will be received. - type: integer - required: - - number - - name + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array type: object type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. + metrics: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. items: - type: string + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - required: - - hosts + reportingInterval: + description: Optional. + type: string type: object type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + selector: + description: Optional. properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. type: object type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. items: properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. + group: + description: group is the group of the target resource. type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE + kind: + description: kind is kind of the target resource. type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER type: string - targetPort: - type: integer type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' + allowCredentials: + description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when requesting the resource. items: type: string type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. + allowMethods: + description: List of HTTP methods allowed to access the resource. items: type: string type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. + allowOrigin: items: type: string type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are allowed to access. items: type: string type: array + maxAge: + description: Specifies how long the results of a preflight request can be cached. + type: string type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. + delegate: + description: Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. properties: name: - description: Label assigned to the port. + description: Name specifies the name of the delegate VirtualService. type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. type: string - targetPort: + type: object + directResponse: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer + required: + - status type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should be bound. - type: string - captureMode: - description: The captureMode option dictates how traffic to the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections Envoy will accept from the network. + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. properties: - http: - description: HTTP connection pool settings. + abort: + description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + exponentialDelay: type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. + percent: + description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + type: object + headers: + properties: + request: properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: type: string - maxConnectionDuration: - description: The maximum duration of a connection. + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + description: One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex properties: - interval: - description: The time duration between keep-alive probes. + exact: type: string - probes: - description: Maximum number of keepalive probes to send without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be idle before keep-alive probes start being sent. + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). type: string type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + host: + description: The name of a service from the service registry. type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string - subjectAltNames: - description: A list of alternate names to verify the subject identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array + required: + - host type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - knative.dev/crd-install: "true" - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. + mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true - type: boolean - filter: - description: Optional. + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. properties: - expression: - description: CEL expression for selecting when requests/connections should be logged. - type: string + value: + format: double + type: number type: object - match: - description: Allows tailoring of logging behavior to specific conditions. + mirrors: + description: Specifies the destinations to mirror HTTP traffic in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror operation. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort properties: - mode: - description: This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + authority: + description: On a redirect, overwrite the Authority/Host portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of the URL with this value. type: string type: object - providers: - description: Optional. + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + type: string + uri: + description: rewrite the path (or the prefix) portion of the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, redirect or forward (default) traffic. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string type: object type: array - metrics: - description: Optional. + tcp: + description: An ordered list of route rules for opaque TCP traffic. items: properties: - overrides: - description: Optional. + match: + description: Match conditions to be satisfied for the rule to be activated. items: properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') == ''REMOVE'') ? !has(self.value) : true' - description: Optional. + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string type: object type: array - providers: - description: Optional. + route: + description: The destination to which the connection should be forwarded to. items: properties: - name: - description: Required. - minLength: 1 - type: string + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - reportingInterval: - description: Optional. - type: string type: object type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - tracing: - description: Optional. + tls: + description: An ordered list of route rule for non-terminated TLS & HTTPS traffic. items: properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header + match: + description: Match conditions to be satisfied for the rule to be activated. + items: properties: - environment: - description: Environment adds the value of an environment variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from which to extract the tag value. - minLength: 1 - type: string - required: - - name + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability of a rule to workloads with the given labels. type: object - header: - description: RequestHeader adds the value of an header from the request to each span. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to. properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract the tag value. - minLength: 1 + host: + description: The name of a service from the service registry. type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to each span. - properties: - value: - description: The tag value to use. - minLength: 1 + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. type: string required: - - value + - host type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string + weight: + description: Weight specifies the relative proportion of traffic to be forwarded to the destination. + format: int32 + type: integer required: - - name + - destination type: object type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean + required: + - match type: object type: array type: object status: type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: The names of gateways and sidecars that should apply these routes jsonPath: .spec.gateways @@ -5874,6 +9677,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6078,6 +9883,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -6210,6 +10017,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6219,9 +10028,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -6245,6 +10058,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6285,16 +10100,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -6355,6 +10177,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6429,6 +10253,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -6456,6 +10282,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6494,6 +10322,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -6526,6 +10356,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -6552,7 +10384,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -6688,6 +10520,8 @@ spec: type: object status: description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 type: integer required: - status @@ -6892,6 +10726,8 @@ spec: type: string port: description: Specifies the ports on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer queryParams: additionalProperties: @@ -7024,6 +10860,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7033,9 +10871,13 @@ spec: - host type: object mirror_percent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercent: + maximum: 4294967295 + minimum: 0 nullable: true type: integer mirrorPercentage: @@ -7059,6 +10901,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7099,16 +10943,23 @@ spec: description: On a redirect, overwrite the Authority/Host portion of the URL with this value. type: string derivePort: - description: 'On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.' + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT type: string port: description: On a redirect, overwrite the port portion of the URL with this value. + maximum: 4294967295 + minimum: 0 type: integer redirectCode: description: On a redirect, Specifies the HTTP status code to use in the redirect response. + maximum: 4294967295 + minimum: 0 type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. @@ -7169,6 +11020,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7243,6 +11096,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sourceLabels: additionalProperties: @@ -7270,6 +11125,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7308,6 +11165,8 @@ spec: type: array port: description: Specifies the port on the host that is being addressed. + maximum: 4294967295 + minimum: 0 type: integer sniHosts: description: SNI (server name indicator) to match on. @@ -7340,6 +11199,8 @@ spec: description: Specifies the port on the host that is being addressed. properties: number: + maximum: 4294967295 + minimum: 0 type: integer type: object subset: @@ -7366,7 +11227,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7407,13 +11268,19 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: failStrategy: - description: Specifies the failure behavior for the plugin due to fatal errors. + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN enum: - FAIL_CLOSE - FAIL_OPEN type: string imagePullPolicy: - description: The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always enum: - UNSPECIFIED_POLICY - IfNotPresent @@ -7429,7 +11296,10 @@ spec: items: properties: mode: - description: Criteria for selecting traffic by their direction. + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER enum: - UNDEFINED - CLIENT @@ -7454,7 +11324,10 @@ spec: type: object type: array phase: - description: Determines where in the filter chain this `WasmPlugin` is to be injected. + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS enum: - UNSPECIFIED_PHASE - AUTHN @@ -7472,6 +11345,7 @@ spec: type: string priority: description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 nullable: true type: integer selector: @@ -7488,7 +11362,6 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: - description: Optional. properties: group: description: group is the group of the target resource. @@ -7503,8 +11376,29 @@ spec: description: namespace is the namespace of the referent. type: string type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array type: - description: Specifies the type of Wasm Extension to be used. + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK enum: - UNSPECIFIED_PLUGIN_TYPE - HTTP @@ -7536,7 +11430,10 @@ spec: maxLength: 2048 type: string valueFrom: - description: Source for the environment variable's value. + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST enum: - INLINE - HOST @@ -7593,6 +11490,60 @@ spec: singular: workloadentry scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7625,6 +11576,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7633,6 +11586,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7640,7 +11595,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7675,6 +11630,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7683,6 +11640,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object status: @@ -7690,7 +11649,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -7718,6 +11677,163 @@ spec: singular: workloadgroup scope: Namespaced versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: '`WorkloadGroup` enables specifying the properties of a single workload for bootstrap and provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties of workloads via `Pod` templates.' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp @@ -7794,6 +11910,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7818,6 +11936,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7846,6 +11966,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -7854,6 +11976,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -7864,7 +11988,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: true + storage: false subresources: status: {} - additionalPrinterColumns: @@ -7943,6 +12067,8 @@ spec: type: string port: description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 type: integer scheme: type: string @@ -7967,6 +12093,8 @@ spec: host: type: string port: + maximum: 4294967295 + minimum: 0 type: integer required: - port @@ -7995,6 +12123,8 @@ spec: type: string ports: additionalProperties: + maximum: 4294967295 + minimum: 0 type: integer description: Set of ports associated with the endpoint. type: object @@ -8003,6 +12133,8 @@ spec: type: string weight: description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 type: integer type: object required: @@ -8013,7 +12145,7 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object served: true - storage: false + storage: true subresources: status: {} --- @@ -8023,9 +12155,6 @@ data: defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 terminationDrainDuration: 20s - tracing: - zipkin: - address: zipkin.istio-system:9411 defaultProviders: metrics: - prometheus @@ -8104,8 +12233,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} + {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -8129,7 +12258,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -8181,7 +12310,7 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if .Values.istio_cni.enabled -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - "--run-validation" - "--skip-rule-apply" {{ end -}} @@ -8199,14 +12328,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not .Values.istio_cni.enabled }} + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -8297,12 +12426,10 @@ data: - drain {{- end }} env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8501,10 +12628,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8557,7 +12682,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8565,7 +12689,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8657,8 +12780,6 @@ data: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -8787,10 +12908,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -8827,7 +12946,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -8835,7 +12953,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -8959,7 +13076,7 @@ data: service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} annotations: { - istio.io/rev: {{ .Revision | default "default" }}, + istio.io/rev: {{ .Revision | default "default" | quote }}, {{- if ge (len $containers) 1 }} {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -9008,12 +13125,10 @@ data: value: grpc - name: OUTPUT_CERTS value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + {{- if eq .InboundTrafficPolicyMode "localhost" }} - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION value: "true" {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9130,10 +13245,8 @@ data: # UDS channel between istioagent and gRPC client for XDS/SDS - mountPath: /etc/istio/proxy name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - mountPath: /etc/certs/ @@ -9204,7 +13317,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9212,7 +13324,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9256,6 +13367,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9288,7 +13407,6 @@ data: (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") (strdict "istio.io/rev" (.Revision | default "default")) (strdict - "ambient.istio.io/redirection" "disabled" "prometheus.io/path" "/stats/prometheus" "prometheus.io/port" "15020" "prometheus.io/scrape" "true" @@ -9297,6 +13415,7 @@ data: {{- toJsonMap (strdict "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" "service.istio.io/canonical-name" .DeploymentName "service.istio.io/canonical-revision" "latest" ) @@ -9349,8 +13468,6 @@ data: valueFrom: fieldRef: fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9555,6 +13672,14 @@ data: "gateway.networking.k8s.io/gateway-name" .Name "istio.io/gateway-name" .Name ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -9603,7 +13728,7 @@ data: "istio.io/gateway-name" .Name ) | nindent 8 }} spec: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} securityContext: sysctls: @@ -9624,7 +13749,7 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: - {{- if .KubeVersion122 }} + {{- if ge .KubeVersion 122 }} # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 capabilities: drop: @@ -9673,11 +13798,9 @@ data: {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} {{- end }} env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} - name: CA_ADDR @@ -9802,10 +13925,8 @@ data: # SDS channel between istioagent and Envoy - mountPath: /etc/istio/proxy name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - mountPath: /var/run/secrets/tokens name: istio-token - {{- end }} - name: istio-podinfo mountPath: /etc/istio/pod volumes: @@ -9836,7 +13957,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: sources: @@ -9844,7 +13964,6 @@ data: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} - {{- end }} {{- if eq .Values.global.pilotCertProvider "istiod" }} - name: istiod-ca-cert configMap: @@ -9917,7 +14036,6 @@ data: "istiod": { "enableAnalysis": false }, - "jwtPolicy": "third-party-jwt", "logAsJson": false, "logging": { "level": "default:info" @@ -9932,7 +14050,6 @@ data: "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, "operatorManageWebhooks": false, "pilotCertProvider": "istiod", "priorityClassName": "", @@ -9968,7 +14085,7 @@ data: "failureThreshold": 600 }, "statusPort": 15020, - "tracer": "zipkin" + "tracer": "none" }, "proxy_init": { "image": "proxyv2" @@ -9982,12 +14099,19 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.21.1", + "tag": "1.22.1", "variant": "" }, "istio_cni": { "chained": true, - "enabled": false + "enabled": false, + "provider": "default" + }, + "pilot": { + "cni": { + "enabled": false, + "provider": "default" + } }, "revision": "", "sidecarInjectorWebhook": { @@ -10068,8 +14192,6 @@ spec: - --proxyComponentLogLevel=misc:error - --log_output_level=default:info env: - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: CA_ADDR @@ -10123,7 +14245,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.21.1 + image: docker.io/istio/proxyv2:1.22.1 name: istio-proxy ports: - containerPort: 15021 @@ -10256,7 +14378,6 @@ spec: template: metadata: annotations: - ambient.istio.io/redirection: disabled prometheus.io/port: "15014" prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" @@ -10264,6 +14385,7 @@ spec: app: istiod install.operator.istio.io/owning-resource: unknown istio: pilot + istio.io/dataplane-mode: none istio.io/rev: default operator.istio.io/component: Pilot sidecar.istio.io/inject: "false" @@ -10280,8 +14402,6 @@ spec: env: - name: REVISION value: default - - name: JWT_POLICY - value: third-party-jwt - name: PILOT_CERT_PROVIDER value: istiod - name: POD_NAME @@ -10317,7 +14437,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.21.1 + image: docker.io/istio/pilot:1.22.1 name: discovery ports: - containerPort: 8080 @@ -10363,6 +14483,9 @@ spec: name: istio-csr-ca-configmap readOnly: true serviceAccountName: istiod + tolerations: + - key: cni.istio.io/not-ready + operator: Exists volumes: - emptyDir: medium: Memory diff --git a/vendor/istio.io/api/analysis/v1alpha1/message.pb.go b/vendor/istio.io/api/analysis/v1alpha1/message.pb.go index 55ce81ec60..53aa26b3f1 100644 --- a/vendor/istio.io/api/analysis/v1alpha1/message.pb.go +++ b/vendor/istio.io/api/analysis/v1alpha1/message.pb.go @@ -14,7 +14,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc (unknown) // source: analysis/v1alpha1/message.proto diff --git a/vendor/istio.io/api/meta/v1alpha1/status.pb.go b/vendor/istio.io/api/meta/v1alpha1/status.pb.go index 3144e7515f..0e8f61d160 100644 --- a/vendor/istio.io/api/meta/v1alpha1/status.pb.go +++ b/vendor/istio.io/api/meta/v1alpha1/status.pb.go @@ -14,7 +14,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc (unknown) // source: meta/v1alpha1/status.proto diff --git a/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go b/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go index dcc8dfed45..6ff61c6acf 100644 --- a/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go +++ b/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go @@ -14,7 +14,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.32.0 +// protoc-gen-go v1.33.0 // protoc (unknown) // source: networking/v1beta1/destination_rule.proto @@ -32,22 +32,6 @@ // balancing pool. For example, a simple load balancing policy for the // ratings service would look as follows: // -// {{}} -// {{}} -// ```yaml -// apiVersion: networking.istio.io/v1alpha3 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// loadBalancer: -// simple: LEAST_REQUEST -// ``` -// {{}} -// -// {{}} // ```yaml // apiVersion: networking.istio.io/v1beta1 // kind: DestinationRule @@ -59,8 +43,6 @@ // loadBalancer: // simple: LEAST_REQUEST // ``` -// {{}} -// {{}} // // Version specific policies can be specified by defining a named // `subset` and overriding the settings specified at the service level. The @@ -68,29 +50,6 @@ // going to a subset named testversion that is composed of endpoints (e.g., // pods) with labels (version:v3). // -// {{}} -// {{}} -// ```yaml -// apiVersion: networking.istio.io/v1alpha3 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// loadBalancer: -// simple: LEAST_REQUEST -// subsets: -// - name: testversion -// labels: -// version: v3 -// trafficPolicy: -// loadBalancer: -// simple: ROUND_ROBIN -// ``` -// {{}} -// -// {{}} // ```yaml // apiVersion: networking.istio.io/v1beta1 // kind: DestinationRule @@ -109,8 +68,6 @@ // loadBalancer: // simple: ROUND_ROBIN // ``` -// {{}} -// {{}} // // **Note:** Policies specified for subsets will not take effect until // a route rule explicitly sends traffic to this subset. @@ -120,29 +77,6 @@ // traffic to port 80, while uses a round robin load balancing setting for // traffic to the port 9080. // -// {{}} -// {{}} -// ```yaml -// apiVersion: networking.istio.io/v1alpha3 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings-port -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: # Apply to all ports -// portLevelSettings: -// - port: -// number: 80 -// loadBalancer: -// simple: LEAST_REQUEST -// - port: -// number: 9080 -// loadBalancer: -// simple: ROUND_ROBIN -// ``` -// {{}} -// -// {{}} // ```yaml // apiVersion: networking.istio.io/v1beta1 // kind: DestinationRule @@ -161,9 +95,6 @@ // loadBalancer: // simple: ROUND_ROBIN // ``` -// {{}} -// {{}} -// package v1beta1 @@ -436,6 +367,7 @@ func (ClientTLSSettings_TLSmode) EnumDescriptor() ([]byte, []int) { //