From 5e6565a0b2bcae21f1a10ffd6759a17a8a4f5c7b Mon Sep 17 00:00:00 2001 From: Filip Brychta Date: Mon, 4 Nov 2024 11:53:40 +0100 Subject: [PATCH 01/11] Fixing issue with missing istiod-remote chart when adding new versions (#464) We are automatically adding new stable versions but not all of them contain istiod-remote chart. This change is adding the chart only for Istio 1.23 Signed-off-by: Filip Brychta --- hack/update-istio.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hack/update-istio.sh b/hack/update-istio.sh index b85508e7e..43d7efb43 100755 --- a/hack/update-istio.sh +++ b/hack/update-istio.sh @@ -26,6 +26,12 @@ VERSIONS_YAML_FILE=${VERSIONS_YAML_FILE:-"versions.yaml"} # The new entry will be placed immediately before the old one function add_stable_version() { echo "Adding new stable version: ${1}" + # we want to add the istiod-remote chart only for 1.23 + istiod_remote_line="" + if [[ ${1} == 1.23.* ]] + then + istiod_remote_line="\"https://istio-release.storage.googleapis.com/charts/istiod-remote-${1}.tgz\"," + fi template=$(cat <<-END { "name": "v${1}", @@ -35,7 +41,7 @@ function add_stable_version() { "charts": [ "https://istio-release.storage.googleapis.com/charts/base-${1}.tgz", "https://istio-release.storage.googleapis.com/charts/istiod-${1}.tgz", - "https://istio-release.storage.googleapis.com/charts/istiod-remote-${1}.tgz", + ${istiod_remote_line} "https://istio-release.storage.googleapis.com/charts/gateway-${1}.tgz", "https://istio-release.storage.googleapis.com/charts/cni-${1}.tgz", "https://istio-release.storage.googleapis.com/charts/ztunnel-${1}.tgz" @@ -43,6 +49,7 @@ function add_stable_version() { } END ) + # Insert the new key above the old one (https://stackoverflow.com/questions/74368503/is-it-possible-to-insert-an-element-into-a-middle-of-array-in-yaml-using-yq) # shellcheck disable=SC2016 yq -i '.versions |= ( From dddde57fbb2c0d4217c3a70fed0d479cf8458e48 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Mon, 4 Nov 2024 15:34:40 +0200 Subject: [PATCH 02/11] Update version reference in docs guide (#465) Signed-off-by: Maxim Babushkin --- docs/README.md | 106 ++++++++++++++++++++++++++++++------------------- 1 file changed, 65 insertions(+), 41 deletions(-) diff --git a/docs/README.md b/docs/README.md index 828976cf5..367df9fe1 100644 --- a/docs/README.md +++ b/docs/README.md @@ -64,7 +64,7 @@ kind: Istio metadata: name: default spec: - version: v1.22.3 + version: v1.23.2 namespace: istio-system updateStrategy: type: InPlace @@ -98,7 +98,7 @@ kind: IstioCNI metadata: name: default spec: - version: v1.22.3 + version: v1.23.2 namespace: istio-cni values: cni: @@ -120,7 +120,7 @@ kind: RemoteIstio metadata: name: default spec: - version: v1.22.3 + version: v1.23.2 namespace: istio-system updateStrategy: type: InPlace @@ -231,7 +231,7 @@ spec: values: pilot: traceSampling: 0.1 - version: v1.23.0 + version: v1.23.2 ``` Note that the only field that was added is the `spec.version` field. There are a few situations however where the APIs are different and require different approaches to achieve the same outcome. @@ -288,7 +288,7 @@ Steps: namespace: istio-system updateStrategy: type: InPlace - version: v1.21.0 + version: v1.22.5 EOF ``` @@ -296,9 +296,10 @@ Steps: ```console $ kubectl get istio -n istio-system - NAME READY STATUS IN USE VERSION AGE - default True Healthy True v1.21.0 2m + NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE + default 1 1 0 default Healthy v1.22.5 23s ``` + Note: `IN USE` field shows as 0, as `Istio` is yet installed. 4. Create namespace `bookinfo` and deploy bookinfo application. @@ -309,27 +310,36 @@ Steps: ``` Note: if the `Istio` resource name is other than `default`, you need to set the `istio.io/rev` label to the name of the `Istio` resource instead of adding the `istio-injection=enabled` label. -5. Perform the update of the control plane by changing the version in the Istio resource. +5. Review the `Istio` resource after application deployment. + + ```console + $ kubectl get istio -n istio-system + NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE + default 1 1 1 default Healthy v1.22.5 115s + ``` + Note: `IN USE` field shows as 1, after application being deployed. + +6. Perform the update of the control plane by changing the version in the Istio resource. ```bash - kubectl patch istio default -n istio-system --type='merge' -p '{"spec":{"version":"v1.21.2"}}' + kubectl patch istio default -n istio-system --type='merge' -p '{"spec":{"version":"v1.23.2"}}' ``` -6. Confirm the `Istio` resource version was updated. +7. Confirm the `Istio` resource version was updated. ```console $ kubectl get istio -n istio-system - NAME REVISIONS READY IN USE ACTIVE REVISION VERSION AGE - default 1 1 1 Healthy v1.21.2 12m + NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE + default 1 1 1 default Healthy v1.23.2 4m50s ``` -7. Delete `bookinfo` pods to trigger sidecar injection with the new version. +8. Delete `bookinfo` pods to trigger sidecar injection with the new version. ```bash kubectl rollout restart deployment -n bookinfo ``` -8. Confirm that the new version is used in the sidecar. +9. Confirm that the new version is used in the sidecar. ```bash istioctl proxy-status @@ -366,7 +376,7 @@ Steps: updateStrategy: type: RevisionBased inactiveRevisionDeletionGracePeriodSeconds: 30 - version: v1.21.0 + version: v1.22.5 EOF ``` @@ -374,16 +384,17 @@ Steps: ```console $ kubectl get istio -n istio-system - NAME READY STATUS IN USE VERSION AGE - default True Healthy True v1.21.0 2m + NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE + default 1 1 0 default-v1-22-5 Healthy v1.22.5 52s ``` + Note: `IN USE` field shows as 0, as `Istio` is yet installed. 4. Get the `IstioRevision` name. ```console $ kubectl get istiorevision -n istio-system - NAME READY STATUS IN USE VERSION AGE - default-v1-21-0 True Healthy False v1.21.0 114s + NAME TYPE READY STATUS IN USE VERSION AGE + default-v1-22-5 Local True Healthy False v1.22.5 3m4s ``` Note: `IstioRevision` name is in the format `-`. @@ -391,7 +402,7 @@ Steps: ```bash kubectl create namespace bookinfo - kubectl label namespace bookinfo istio.io/rev=default-v1-21-0 + kubectl label namespace bookinfo istio.io/rev=default-v1-22-5 ``` 6. Deploy bookinfo application. @@ -400,78 +411,91 @@ Steps: kubectl apply -n bookinfo -f https://raw.githubusercontent.com/istio/istio/release-1.22/samples/bookinfo/platform/kube/bookinfo.yaml ``` -7. Confirm that the proxy version matches the control plane version. +7. Review the `Istio` resource after application deployment. + + ```console + $ kubectl get istio -n istio-system + NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE + default 1 1 1 default-v1-22-5 Healthy v1.22.5 5m13s + ``` + Note: `IN USE` field shows as 1, after application being deployed. + +8. Confirm that the proxy version matches the control plane version. ```bash istioctl proxy-status ``` The column `VERSION` should match the control plane version. -8. Update the control plane to a new version. +9. Update the control plane to a new version. ```bash - kubectl patch istio default -n istio-system --type='merge' -p '{"spec":{"version":"v1.21.2"}}' + kubectl patch istio default -n istio-system --type='merge' -p '{"spec":{"version":"v1.23.2"}}' ``` -9. Verify the `Istio` and `IstioRevision` resources. There will be a new revision created with the new version. +10. Verify the `Istio` and `IstioRevision` resources. There will be a new revision created with the new version. ```console $ kubectl get istio -n istio-system - NAME REVISIONS READY IN USE ACTIVE REVISION VERSION AGE - default 2 2 1 Healthy v1.21.2 23m + NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE + default 2 2 1 default-v1-23-2 Healthy v1.23.2 9m23s $ kubectl get istiorevision -n istio-system - NAME READY STATUS IN USE VERSION AGE - default-v1-21-0 True Healthy True v1.21.0 27m - default-v1-21-2 True Healthy False v1.21.2 4m45s + NAME TYPE READY STATUS IN USE VERSION AGE + default-v1-22-5 Local True Healthy True v1.22.5 10m + default-v1-23-2 Local True Healthy False v1.23.2 66s ``` -10. Confirm there are two control plane pods running, one for each revision. +11. Confirm there are two control plane pods running, one for each revision. ```console $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE - istiod-default-v1-21-0-69d6df7f9c-grm24 1/1 Running 0 28m - istiod-default-v1-21-2-7c4f4674c5-4g7n7 1/1 Running 0 6m9s + istiod-default-v1-22-5-c98fd9675-r7bfw 1/1 Running 0 10m + istiod-default-v1-23-2-7495cdc7bf-v8t4g 1/1 Running 0 113s ``` -11. Confirm the proxy sidecar version remains the same: +12. Confirm the proxy sidecar version remains the same: ```bash istioctl proxy-status ``` The column `VERSION` should still match the old control plane version. -12. Change the label of the `bookinfo` namespace to use the new revision. +13. Change the label of the `bookinfo` namespace to use the new revision. ```bash - kubectl label namespace bookinfo istio.io/rev=default-v1-21-2 --overwrite + kubectl label namespace bookinfo istio.io/rev=default-v1-23-2 --overwrite ``` The existing workload sidecars will continue to run and will remain connected to the old control plane instance. They will not be replaced with a new version until the pods are deleted and recreated. -13. Delete all the pods in the `bookinfo` namespace. +14. Delete all the pods in the `bookinfo` namespace. ```bash kubectl rollout restart deployment -n bookinfo ``` -14. Confirm the new version is used in the sidecars. +15. Confirm the new version is used in the sidecars. ```bash istioctl proxy-status ``` The column `VERSION` should match the updated control plane version. -15. Confirm the old control plane and revision deletion. +16. Confirm the old control plane and revision deletion. ```console $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE - istiod-default-v1-21-2-7c4f4674c5-4g7n7 1/1 Running 0 94m + istiod-default-v1-23-2-7495cdc7bf-v8t4g 1/1 Running 0 4m40s + + $ kubectl get istio -n istio-system + NAME REVISIONS READY IN USE ACTIVE REVISION STATUS VERSION AGE + default 1 1 1 default-v1-23-2 Healthy v1.23.2 5m $ kubectl get istiorevision -n istio-system - NAME READY STATUS IN USE VERSION AGE - default-v1-21-2 True Healthy True v1.21.2 94m + NAME TYPE READY STATUS IN USE VERSION AGE + default-v1-23-2 Local True Healthy True v1.23.2 5m31s ``` The old `IstioRevision` resource and the old control plane will be deleted when the grace period specified in the `Istio` resource field `spec.updateStrategy.inactiveRevisionDeletionGracePeriodSeconds` expires. From 66b4166d30c752001395d8b83ac75cf0e5f73b97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 5 Nov 2024 14:12:42 +0100 Subject: [PATCH 03/11] Remove RemoteIstio resource (#461) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Remove RemoteIstio resource In latest versions of Istio, the istiod-remote chart has been removed. Instead, users deploy the regular istiod chart, but set the profile to `remote`. Signed-off-by: Marko Lukša * Clean up resources created by istioctl create-remote-secret Signed-off-by: Marko Lukša --------- Signed-off-by: Marko Lukša --- PROJECT | 8 - api/v1alpha1/istio_types.go | 7 +- api/v1alpha1/istiocni_types.go | 4 +- api/v1alpha1/istiorevision_types.go | 15 - api/v1alpha1/remoteistio_types.go | 217 - api/v1alpha1/zz_generated.deepcopy.go | 123 - .../sailoperator.clusterserviceversion.yaml | 78 +- .../manifests/sailoperator.io_istiocnis.yaml | 3 +- .../sailoperator.io_istiorevisions.yaml | 9 - bundle/manifests/sailoperator.io_istios.yaml | 3 +- .../sailoperator.io_remoteistios.yaml | 9528 ----------------- chart/crds/sailoperator.io_istiocnis.yaml | 3 +- .../crds/sailoperator.io_istiorevisions.yaml | 9 - chart/crds/sailoperator.io_istios.yaml | 3 +- chart/crds/sailoperator.io_remoteistios.yaml | 9522 ---------------- chart/samples/remoteistio-sample.yaml | 15 - cmd/main.go | 8 - controllers/istio/istio_controller.go | 3 +- .../istiorevision/istiorevision_controller.go | 37 +- .../istiorevision_controller_test.go | 52 +- .../remoteistio/remoteistio_controller.go | 315 - .../remoteistio_controller_test.go | 927 -- controllers/webhook/webhook_controller.go | 36 +- .../webhook/webhook_controller_test.go | 16 +- docs/README.md | 47 +- docs/api-reference/sailoperator.io.md | 172 +- hack/download-charts.sh | 3 - hack/update-profiles-list.sh | 2 +- hack/update-version-list.sh | 2 +- pkg/constants/constants.go | 4 + pkg/revision/reconcile.go | 4 +- pkg/revision/reconcile_test.go | 3 +- pkg/revision/remote.go | 25 + pkg/version/semverutils.go | 27 + pkg/version/semverutils_test.go | 34 + resources/latest/profiles/remote.yaml | 7 + resources/v1.21.6/profiles/remote.yaml | 5 + resources/v1.22.5/profiles/remote.yaml | 5 + resources/v1.23.2/profiles/remote.yaml | 5 + .../multicluster_primaryremote_test.go | 54 +- tests/integration/api/istio_test.go | 2 - tests/integration/api/istiorevision_test.go | 7 - tests/integration/api/suite_test.go | 2 - 43 files changed, 225 insertions(+), 21126 deletions(-) delete mode 100644 api/v1alpha1/remoteistio_types.go delete mode 100644 bundle/manifests/sailoperator.io_remoteistios.yaml delete mode 100644 chart/crds/sailoperator.io_remoteistios.yaml delete mode 100644 chart/samples/remoteistio-sample.yaml delete mode 100644 controllers/remoteistio/remoteistio_controller.go delete mode 100644 controllers/remoteistio/remoteistio_controller_test.go create mode 100644 pkg/revision/remote.go create mode 100644 pkg/version/semverutils.go create mode 100644 pkg/version/semverutils_test.go create mode 100644 resources/latest/profiles/remote.yaml create mode 100644 resources/v1.21.6/profiles/remote.yaml create mode 100644 resources/v1.22.5/profiles/remote.yaml create mode 100644 resources/v1.23.2/profiles/remote.yaml diff --git a/PROJECT b/PROJECT index 8dd5f649d..54844738f 100644 --- a/PROJECT +++ b/PROJECT @@ -19,14 +19,6 @@ resources: kind: Istio path: github.com/istio-ecosystem/sail-operator/api/v1alpha1 version: v1alpha1 -- api: - crdVersion: v1 - namespaced: false - controller: true - domain: sailoperator.io - kind: RemoteIstio - path: github.com/istio-ecosystem/sail-operator/api/v1alpha1 - version: v1alpha1 - api: crdVersion: v1 namespaced: false diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index b5a4f766a..a4c267f73 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -51,10 +51,10 @@ type IstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;remote;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. Note that this field is immutable. @@ -227,6 +227,9 @@ const ( // IstioReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready. IstioReasonIstiodNotReady IstioConditionReason = "IstiodNotReady" + // IstioReasonRemoteIstiodNotReady indicates that the control plane is fully reconciled, but the remote istiod is not ready. + IstioReasonRemoteIstiodNotReady IstioConditionReason = "RemoteIstiodNotReady" + // IstioReasonReadinessCheckFailed indicates that readiness could not be ascertained. IstioReasonReadinessCheckFailed IstioConditionReason = "ReadinessCheckFailed" ) diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go index 535af7237..3aefa2829 100644 --- a/api/v1alpha1/istiocni_types.go +++ b/api/v1alpha1/istiocni_types.go @@ -37,10 +37,10 @@ type IstioCNISpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;remote;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio CNI component should be installed. diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go index 4c3347e47..fb9c765cf 100644 --- a/api/v1alpha1/istiorevision_types.go +++ b/api/v1alpha1/istiorevision_types.go @@ -28,11 +28,6 @@ const ( // IstioRevisionSpec defines the desired state of IstioRevision // +kubebuilder:validation:XValidation:rule="self.values.global.istioNamespace == self.__namespace__",message="spec.values.global.istioNamespace must match spec.namespace" type IstioRevisionSpec struct { - // Type indicates whether this revision represents a local or a remote control plane installation. - // +kubebuilder:default=Local - // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable" - Type IstioRevisionType `json:"type"` - // +sail:version // Defines the version of Istio to install. // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. @@ -178,16 +173,6 @@ const ( IstioRevisionReasonHealthy IstioRevisionConditionReason = "Healthy" ) -type IstioRevisionType string - -const ( - // IstioRevisionTypeLocal indicates that the revision represents a local control plane installation. - IstioRevisionTypeLocal IstioRevisionType = "Local" - - // IstioRevisionTypeRemote indicates that the revision represents a remote control plane installation. - IstioRevisionTypeRemote IstioRevisionType = "Remote" -) - // +kubebuilder:object:root=true // +kubebuilder:resource:scope=Cluster,shortName=istiorev,categories=istio-io // +kubebuilder:subresource:status diff --git a/api/v1alpha1/remoteistio_types.go b/api/v1alpha1/remoteistio_types.go deleted file mode 100644 index 463906896..000000000 --- a/api/v1alpha1/remoteistio_types.go +++ /dev/null @@ -1,217 +0,0 @@ -// Copyright Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1alpha1 - -import ( - "time" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -const RemoteIstioKind = "RemoteIstio" - -// RemoteIstioSpec defines the desired state of RemoteIstio -// +kubebuilder:validation:XValidation:rule="!has(self.values) || !has(self.values.global) || !has(self.values.global.istioNamespace) || self.values.global.istioNamespace == self.__namespace__",message="spec.values.global.istioNamespace must match spec.namespace" -type RemoteIstioSpec struct { - // +sail:version - // Defines the version of Istio to install. - // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest - // +kubebuilder:default=v1.23.2 - Version string `json:"version"` - - // Defines the update strategy to use when the version in the RemoteIstio CR is updated. - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Update Strategy" - // +kubebuilder:default={type: "InPlace"} - UpdateStrategy *IstioUpdateStrategy `json:"updateStrategy,omitempty"` - - // +sail:profile - // The built-in installation configuration profile to use. - // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. - // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} - // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable - Profile string `json:"profile,omitempty"` - - // Namespace to which the Istio components should be installed. - // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"} - // +kubebuilder:default=istio-system - Namespace string `json:"namespace"` - - // Defines the values to be passed to the Helm charts when installing Istio. - // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Helm Values" - Values *Values `json:"values,omitempty"` -} - -// RemoteIstioStatus defines the observed state of RemoteIstio -type RemoteIstioStatus struct { - // ObservedGeneration is the most recent generation observed for this - // RemoteIstio object. It corresponds to the object's generation, which is - // updated on mutation by the API Server. The information in the status - // pertains to this particular generation of the object. - ObservedGeneration int64 `json:"observedGeneration,omitempty"` - - // Represents the latest available observations of the object's current state. - Conditions []RemoteIstioCondition `json:"conditions,omitempty"` - - // Reports the current state of the object. - State RemoteIstioConditionReason `json:"state,omitempty"` - - // The name of the active revision. - ActiveRevisionName string `json:"activeRevisionName,omitempty"` - - // Reports information about the underlying IstioRevisions. - Revisions RevisionSummary `json:"revisions,omitempty"` -} - -// GetCondition returns the condition of the specified type -func (s *RemoteIstioStatus) GetCondition(conditionType RemoteIstioConditionType) RemoteIstioCondition { - if s != nil { - for i := range s.Conditions { - if s.Conditions[i].Type == conditionType { - return s.Conditions[i] - } - } - } - return RemoteIstioCondition{Type: conditionType, Status: metav1.ConditionUnknown} -} - -// SetCondition sets a specific condition in the list of conditions -func (s *RemoteIstioStatus) SetCondition(condition RemoteIstioCondition) { - var now time.Time - if testTime == nil { - now = time.Now() - } else { - now = *testTime - } - - // The lastTransitionTime only gets serialized out to the second. This can - // break update skipping, as the time in the resource returned from the client - // may not match the time in our cached status during a reconcile. We truncate - // here to save any problems down the line. - lastTransitionTime := metav1.NewTime(now.Truncate(time.Second)) - - for i, prevCondition := range s.Conditions { - if prevCondition.Type == condition.Type { - if prevCondition.Status != condition.Status { - condition.LastTransitionTime = lastTransitionTime - } else { - condition.LastTransitionTime = prevCondition.LastTransitionTime - } - s.Conditions[i] = condition - return - } - } - - // If the condition does not exist, initialize the lastTransitionTime - condition.LastTransitionTime = lastTransitionTime - s.Conditions = append(s.Conditions, condition) -} - -// RemoteIstioCondition represents a specific observation of the RemoteIstioCondition object's state. -type RemoteIstioCondition struct { - // The type of this condition. - Type RemoteIstioConditionType `json:"type,omitempty"` - - // The status of this condition. Can be True, False or Unknown. - Status metav1.ConditionStatus `json:"status,omitempty"` - - // Unique, single-word, CamelCase reason for the condition's last transition. - Reason RemoteIstioConditionReason `json:"reason,omitempty"` - - // Human-readable message indicating details about the last transition. - Message string `json:"message,omitempty"` - - // Last time the condition transitioned from one status to another. - LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"` -} - -// RemoteIstioConditionType represents the type of the condition. Condition stages are: -// Installed, Reconciled, Ready -type RemoteIstioConditionType string - -// RemoteIstioConditionReason represents a short message indicating how the condition came -// to be in its present state. -type RemoteIstioConditionReason string - -const ( - // RemoteIstioConditionReconciled signifies whether the controller has - // successfully reconciled the resources defined through the CR. - RemoteIstioConditionReconciled RemoteIstioConditionType = "Reconciled" - - // RemoteIstioReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried. - RemoteIstioReasonReconcileError RemoteIstioConditionReason = "ReconcileError" -) - -const ( - // RemoteIstioConditionReady signifies whether any Deployment, StatefulSet, - // etc. resources are Ready. - RemoteIstioConditionReady RemoteIstioConditionType = "Ready" - - // RemoteIstioReasonRevisionNotFound indicates that the active IstioRevision is not found. - RemoteIstioReasonRevisionNotFound RemoteIstioConditionReason = "ActiveRevisionNotFound" - - // RemoteIstioReasonFailedToGetActiveRevision indicates that a failure occurred when getting the active IstioRevision - RemoteIstioReasonFailedToGetActiveRevision RemoteIstioConditionReason = "FailedToGetActiveRevision" - - // RemoteIstioReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready. - RemoteIstioReasonIstiodNotReady RemoteIstioConditionReason = "IstiodNotReady" - - // RemoteIstioReasonReadinessCheckFailed indicates that readiness could not be ascertained. - RemoteIstioReasonReadinessCheckFailed RemoteIstioConditionReason = "ReadinessCheckFailed" -) - -const ( - // RemoteIstioReasonHealthy indicates that the control plane is fully reconciled and that all components are ready. - RemoteIstioReasonHealthy RemoteIstioConditionReason = "Healthy" -) - -// +kubebuilder:object:root=true -// +kubebuilder:resource:scope=Cluster,categories=istio-io -// +kubebuilder:subresource:status -// +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object." -// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready." -// +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads." -// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.activeRevisionName",description="The name of the currently active revision." -// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of the active revision." -// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the control plane installation." -// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object" - -// RemoteIstio represents a remote Istio Service Mesh deployment consisting of one or more -// remote control plane instances (represented by one or more IstioRevision objects). -type RemoteIstio struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - // +kubebuilder:default={version: "v1.23.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}} - Spec RemoteIstioSpec `json:"spec,omitempty"` - - Status RemoteIstioStatus `json:"status,omitempty"` -} - -// +kubebuilder:object:root=true - -// RemoteIstioList contains a list of RemoteIstio -type RemoteIstioList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []RemoteIstio `json:"items"` -} - -func init() { - SchemeBuilder.Register(&RemoteIstio{}, &RemoteIstioList{}) -} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 6587fcd95..a4261bfe4 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -4061,129 +4061,6 @@ func (in *ProxyInitConfig) DeepCopy() *ProxyInitConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RemoteIstio) DeepCopyInto(out *RemoteIstio) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - in.Status.DeepCopyInto(&out.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteIstio. -func (in *RemoteIstio) DeepCopy() *RemoteIstio { - if in == nil { - return nil - } - out := new(RemoteIstio) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *RemoteIstio) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RemoteIstioCondition) DeepCopyInto(out *RemoteIstioCondition) { - *out = *in - in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteIstioCondition. -func (in *RemoteIstioCondition) DeepCopy() *RemoteIstioCondition { - if in == nil { - return nil - } - out := new(RemoteIstioCondition) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RemoteIstioList) DeepCopyInto(out *RemoteIstioList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]RemoteIstio, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteIstioList. -func (in *RemoteIstioList) DeepCopy() *RemoteIstioList { - if in == nil { - return nil - } - out := new(RemoteIstioList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *RemoteIstioList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RemoteIstioSpec) DeepCopyInto(out *RemoteIstioSpec) { - *out = *in - if in.UpdateStrategy != nil { - in, out := &in.UpdateStrategy, &out.UpdateStrategy - *out = new(IstioUpdateStrategy) - (*in).DeepCopyInto(*out) - } - if in.Values != nil { - in, out := &in.Values, &out.Values - *out = new(Values) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteIstioSpec. -func (in *RemoteIstioSpec) DeepCopy() *RemoteIstioSpec { - if in == nil { - return nil - } - out := new(RemoteIstioSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RemoteIstioStatus) DeepCopyInto(out *RemoteIstioStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]RemoteIstioCondition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - out.Revisions = in.Revisions -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteIstioStatus. -func (in *RemoteIstioStatus) DeepCopy() *RemoteIstioStatus { - if in == nil { - return nil - } - out := new(RemoteIstioStatus) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RemoteService) DeepCopyInto(out *RemoteService) { *out = *in diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index a59ecf718..445147a99 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-23T05:05:30Z" + createdAt: "2024-10-31T13:13:52Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -177,7 +177,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. displayName: Profile path: profile x-descriptors: @@ -281,7 +281,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. displayName: Profile path: profile x-descriptors: @@ -295,78 +295,6 @@ spec: displayName: Helm Values path: values version: v1alpha1 - - description: |- - RemoteIstio represents a remote Istio Service Mesh deployment consisting of one or more - remote control plane instances (represented by one or more IstioRevision objects). - displayName: Remote Istio - kind: RemoteIstio - name: remoteistios.sailoperator.io - specDescriptors: - - description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\". - When the \"InPlace\" strategy\nis used, the existing Istio control plane - is updated in-place. The workloads therefore\ndon't need to be moved from - one control plane instance to another. When the \"RevisionBased\"\nstrategy - is used, a new Istio control plane instance is created for every change - to the\nIstio.spec.version field. The old control plane remains in place - until all workloads have\nbeen moved to the new control plane instance.\n\n\nThe - \"InPlace\" strategy is the default.\tTODO: change default to \"RevisionBased\"" - displayName: Type - path: updateStrategy.type - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:select:InPlace - - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - - description: |- - Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. - displayName: Istio Version - path: version - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - - urn:alm:descriptor:com.tectonic.ui:select:latest - - description: |- - Defines how many seconds the operator should wait before removing a non-active revision after all - the workloads have stopped using it. You may want to set this value on the order of minutes. - The minimum is 0 and the default value is 30. - displayName: Inactive Revision Deletion Grace Period (seconds) - path: updateStrategy.inactiveRevisionDeletionGracePeriodSeconds - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:number - - description: |- - Defines whether the workloads should be moved from one control plane instance to another - automatically. If updateWorkloads is true, the operator moves the workloads from the old - control plane instance to the new one after the new control plane is ready. - If updateWorkloads is false, the user must move the workloads manually by updating the - istio.io/rev labels on the namespace and/or the pods. - Defaults to false. - displayName: Update Workloads Automatically - path: updateStrategy.updateWorkloads - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Namespace to which the Istio components should be installed. - displayName: Namespace - path: namespace - x-descriptors: - - urn:alm:descriptor:io.kubernetes:Namespace - - description: |- - The built-in installation configuration profile to use. - The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. - displayName: Profile - path: profile - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:hidden - - description: Defines the update strategy to use when the version in the RemoteIstio - CR is updated. - displayName: Update Strategy - path: updateStrategy - - description: Defines the values to be passed to the Helm charts when installing - Istio. - displayName: Helm Values - path: values - version: v1alpha1 description: |- This is an experimental operator for installing Istio service mesh. diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index c6c600566..ed0915fcd 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -70,7 +70,7 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. enum: - ambient - default @@ -80,6 +80,7 @@ spec: - openshift-ambient - openshift - preview + - remote - stable type: string values: diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 65dda4561..29d602daf 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -78,14 +78,6 @@ spec: x-kubernetes-validations: - message: Value is immutable rule: self == oldSelf - type: - default: Local - description: Type indicates whether this revision represents a local - or a remote control plane installation. - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf values: description: Defines the values to be passed to the Helm charts when installing Istio. @@ -9389,7 +9381,6 @@ spec: type: string required: - namespace - - type - version type: object x-kubernetes-validations: diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index f5e82d277..61a82141b 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -95,7 +95,7 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. enum: - ambient - default @@ -105,6 +105,7 @@ spec: - openshift-ambient - openshift - preview + - remote - stable type: string updateStrategy: diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml deleted file mode 100644 index a0a4ab8c3..000000000 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ /dev/null @@ -1,9528 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 - creationTimestamp: null - name: remoteistios.sailoperator.io -spec: - group: sailoperator.io - names: - categories: - - istio-io - kind: RemoteIstio - listKind: RemoteIstioList - plural: remoteistios - singular: remoteistio - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Total number of IstioRevision objects currently associated with - this object. - jsonPath: .status.revisions.total - name: Revisions - type: string - - description: Number of revisions that are ready. - jsonPath: .status.revisions.ready - name: Ready - type: string - - description: Number of revisions that are currently being used by workloads. - jsonPath: .status.revisions.inUse - name: In use - type: string - - description: The name of the currently active revision. - jsonPath: .status.activeRevisionName - name: Active Revision - type: string - - description: The current state of the active revision. - jsonPath: .status.state - name: Status - type: string - - description: The version of the control plane installation. - jsonPath: .spec.version - name: Version - type: string - - description: The age of the object - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - RemoteIstio represents a remote Istio Service Mesh deployment consisting of one or more - remote control plane instances (represented by one or more IstioRevision objects). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - default: - namespace: istio-system - updateStrategy: - type: InPlace - version: v1.23.2 - description: RemoteIstioSpec defines the desired state of RemoteIstio - properties: - namespace: - default: istio-system - description: Namespace to which the Istio components should be installed. - type: string - profile: - description: |- - The built-in installation configuration profile to use. - The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. - enum: - - ambient - - default - - demo - - empty - - external - - openshift-ambient - - openshift - - preview - - stable - type: string - updateStrategy: - default: - type: InPlace - description: Defines the update strategy to use when the version in - the RemoteIstio CR is updated. - properties: - inactiveRevisionDeletionGracePeriodSeconds: - description: |- - Defines how many seconds the operator should wait before removing a non-active revision after all - the workloads have stopped using it. You may want to set this value on the order of minutes. - The minimum is 0 and the default value is 30. - format: int64 - minimum: 0 - type: integer - type: - default: InPlace - description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\". - When the \"InPlace\" strategy\nis used, the existing Istio control - plane is updated in-place. The workloads therefore\ndon't need - to be moved from one control plane instance to another. When - the \"RevisionBased\"\nstrategy is used, a new Istio control - plane instance is created for every change to the\nIstio.spec.version - field. The old control plane remains in place until all workloads - have\nbeen moved to the new control plane instance.\n\nThe \"InPlace\" - strategy is the default.\tTODO: change default to \"RevisionBased\"" - enum: - - InPlace - - RevisionBased - type: string - updateWorkloads: - description: |- - Defines whether the workloads should be moved from one control plane instance to another - automatically. If updateWorkloads is true, the operator moves the workloads from the old - control plane instance to the new one after the new control plane is ready. - If updateWorkloads is false, the user must move the workloads manually by updating the - istio.io/rev labels on the namespace and/or the pods. - Defaults to false. - type: boolean - type: object - values: - description: Defines the values to be passed to the Helm charts when - installing Istio. - properties: - base: - description: Configuration for the base component. - properties: - excludedCRDs: - description: CRDs to exclude. Requires `enableCRDTemplates` - items: - type: string - type: array - validationCABundle: - description: validation webhook CA bundle - type: string - validationURL: - description: URL to use for validating webhook. - type: string - type: object - compatibilityVersion: - description: |- - Specifies the compatibility version to use. When this is set, the control plane will - be configured with the same defaults as the specified version. - type: string - defaultRevision: - description: The name of the default revision in the cluster. - type: string - experimental: - description: Specifies experimental helm fields that could be - removed or changed in the future - x-kubernetes-preserve-unknown-fields: true - global: - description: Global configuration for Istio components. - properties: - arch: - description: "Specifies pod scheduling arch(amd64, ppc64le, - s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1 - - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: - replaced by the affinity k8s settings which allows architecture - nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/values_types.proto." - properties: - amd64: - description: Sets pod scheduling weight for amd64 arch - format: int32 - type: integer - arm64: - description: Sets pod scheduling weight for arm64 arch. - format: int32 - type: integer - ppc64le: - description: Sets pod scheduling weight for ppc64le arch. - format: int32 - type: integer - s390x: - description: Sets pod scheduling weight for s390x arch. - format: int32 - type: integer - type: object - caAddress: - description: The address of the CA for CSR. - type: string - caName: - description: |- - The name of the CA for workloads. - For example, when caName=GkeWorkloadCertificate, GKE workload certificates - will be used as the certificates for workloads. - The default value is "" and when caName="", the CA will be configured by other - mechanisms (e.g., environmental variable CA_PROVIDER). - type: string - certSigners: - description: List of certSigners to allow "approve" action - in the ClusterRole - items: - type: string - type: array - configCluster: - description: Controls whether a remote cluster is the config - cluster for an external istiod - type: boolean - configValidation: - description: Controls whether the server-side validation is - enabled. - type: boolean - defaultNodeSelector: - additionalProperties: - type: string - description: |- - Default k8s node selector for all the Istio control plane components - - See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: object - defaultPodDisruptionBudget: - description: Specifies the default pod disruption budget configuration. - properties: - enabled: - description: Controls whether a PodDisruptionBudget with - a default minAvailable value of 1 is created for each - deployment. - type: boolean - type: object - defaultResources: - description: |- - Default k8s resources settings for all Istio control plane components. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - defaultTolerations: - description: |- - Default node tolerations to be applied to all deployments so that all pods can be - scheduled to nodes with matching taints. Each component can overwrite - these default values by adding its tolerations block in the relevant section below - and setting the desired values. - Configure this field in case that all pods of Istio control plane are expected to - be scheduled to particular nodes with specified taints. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - externalIstiod: - description: Controls whether one external istiod is enabled. - type: boolean - hub: - description: Specifies the docker hub for Istio images. - type: string - imagePullPolicy: - description: |- - Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. - - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: |- - ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace - to use for pulling any images in pods that reference this ServiceAccount. - Must be set for any cluster configured with private docker registry. - items: - type: string - type: array - ipFamilies: - description: |- - Defines which IP family to use for single stack or the order of IP families for dual-stack. - Valid list items are "IPv4", "IPv6". - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - items: - type: string - type: array - ipFamilyPolicy: - description: |- - Controls whether Services are configured to use IPv4, IPv6, or both. Valid options - are PreferDualStack, RequireDualStack, and SingleStack. - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - type: string - istioNamespace: - description: Specifies the default namespace for the Istio - control plane components. - type: string - istiod: - description: Specifies the configution of istiod - properties: - enableAnalysis: - description: If enabled, istiod will perform config analysis - type: boolean - type: object - jwtPolicy: - description: |- - Configure the policy for validating JWT. - This is deprecated and has no effect. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: string - logAsJson: - description: Specifies whether istio components should output - logs in json format by adding --log_as_json argument to - each container. - type: boolean - logging: - description: Specifies the global logging level settings for - the Istio control plane components. - properties: - level: - description: |- - Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - The control plane has different scopes depending on component, but can configure default log level across all components - If empty, default scope and level will be used as configured in code - type: string - type: object - meshID: - description: |- - The Mesh Identifier. It should be unique within the scope where - meshes will interact with each other, but it is not required to be - globally/universally unique. For example, if any of the following are true, - then two meshes must have different Mesh IDs: - - Meshes will have their telemetry aggregated in one place - - Meshes will be federated together - - Policy will be written referencing one mesh from the other - - If an administrator expects that any of these conditions may become true in - the future, they should ensure their meshes have different Mesh IDs - assigned. - - Within a multicluster mesh, each cluster must be (manually or auto) - configured to have the same Mesh ID value. If an existing cluster 'joins' a - multicluster mesh, it will need to be migrated to the new mesh ID. Details - of migration TBD, and it may be a disruptive operation to change the Mesh - ID post-install. - - If the mesh admin does not specify a value, Istio will use the value of the - mesh's Trust Domain. The best practice is to select a proper Trust Domain - value. - type: string - meshNetworks: - additionalProperties: - description: |- - Network provides information about the endpoints in a routable L3 - network. A single routable L3 network can have one or more service - registries. Note that the network has no relation to the locality of the - endpoint. The endpoint locality will be obtained from the service - registry. - properties: - endpoints: - description: |- - The list of endpoints in the network (obtained through the - constituent service registries or from CIDR ranges). All endpoints in - the network are directly accessible to one another. - items: - description: "NetworkEndpoints describes how the network - associated with an endpoint\nshould be inferred. - An endpoint will be assigned to a network based - on\nthe following rules:\n\n1. Implicitly: If the - registry explicitly provides information about\nthe - network to which the endpoint belongs to. In some - cases, its\npossible to indicate the network associated - with the endpoint by\nadding the `ISTIO_META_NETWORK` - environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. - By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"fromRegistry\" can only be - assigned to a\n\tsingle network.\n\n\tb. By matching - the IP against one of the CIDR ranges in a mesh\n\tconfig - network. The CIDR ranges must not overlap and be - assigned to\n\ta single network.\n\n(2) will override - (1) if both are present." - properties: - fromCidr: - description: |- - A CIDR range for the set of endpoints in this network. The CIDR - ranges for endpoints from different networks must not overlap. - type: string - fromRegistry: - description: |- - Add all endpoints from the specified registry into this network. - The names of the registries should correspond to the kubeconfig file name - inside the secret that was used to configure the registry (Kubernetes - multicluster) or supplied by MCP server. - type: string - type: object - x-kubernetes-validations: - - message: At most one of [fromCidr fromRegistry] - should be set - rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0) - <= 1 - type: array - gateways: - description: Set of gateways associated with the network. - items: - description: |- - The gateway associated with this network. Traffic from remote networks - will arrive at the specified gateway:port. All incoming traffic must - use mTLS. - properties: - address: - description: IP address or externally resolvable - DNS address associated with the gateway. - type: string - locality: - description: The locality associated with an explicitly - specified gateway (i.e. ip) - type: string - port: - format: int32 - type: integer - registryServiceName: - description: |- - A fully qualified domain name of the gateway service. Pilot will - lookup the service from the service registries in the network and - obtain the endpoint IPs of the gateway from the service - registry. Note that while the service name is a fully qualified - domain name, it need not be resolvable outside the orchestration - platform for the registry. e.g., this could be - istio-ingressgateway.istio-system.svc.cluster.local. - type: string - type: object - x-kubernetes-validations: - - message: At most one of [registryServiceName address] - should be set - rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0) - <= 1 - type: array - type: object - description: "Configure the mesh networks to be used by the - Split Horizon EDS.\n\nThe following example defines two - networks with different endpoints association methods.\nFor - `network1` all endpoints that their IP belongs to the provided - CIDR range will be\nmapped to network1. The gateway for - this network example is specified by its public IP\naddress - and port.\nThe second network, `network2`, in this example - is defined differently with all endpoints\nretrieved through - the specified Multi-Cluster registry being mapped to network2. - The\ngateway is also defined differently with the name of - the gateway service on the remote\ncluster. The public IP - for the gateway will be determined from that remote service - (only\nLoadBalancer gateway service type is currently supported, - for a NodePort type gateway service,\nit still need to be - configured manually).\n\nmeshNetworks:\n\n\tnetwork1:\n\t - \ endpoints:\n\t - fromCidr: \"192.168.0.1/24\"\n\t gateways:\n\t - \ - address: 1.1.1.1\n\t port: 80\n\tnetwork2:\n\t endpoints:\n\t - \ - fromRegistry: reg1\n\t gateways:\n\t - registryServiceName: - istio-ingressgateway.istio-system.svc.cluster.local\n\t - \ port: 443" - type: object - mountMtlsCerts: - description: Controls whether the in-cluster MTLS key and - certs are loaded from the secret volume mounts. - type: boolean - multiCluster: - description: Specifies the Configuration for Istio mesh across - multiple clusters through Istio gateways. - properties: - clusterName: - description: |- - The name of the cluster this installation will run in. This is required for sidecar injection - to properly label proxies - type: string - enabled: - description: |- - Enables the connection between two kubernetes clusters via their respective ingressgateway services. - Use if the pods in each cluster cannot directly talk to one another. - type: boolean - globalDomainSuffix: - description: The suffix for global service names. - type: string - includeEnvoyFilter: - description: Enable envoy filter to translate `globalDomainSuffix` - to cluster local suffix for cross cluster communication. - type: boolean - type: object - network: - description: |- - Network defines the network this cluster belong to. This name - corresponds to the networks in the map of mesh networks. - type: string - omitSidecarInjectorConfigMap: - description: |- - Controls whether the creation of the sidecar injector ConfigMap should be skipped. - Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. - type: boolean - operatorManageWebhooks: - description: |- - Controls whether the WebhookConfiguration resource(s) should be created. The current behavior - of Istiod is to manage its own webhook configurations. - When this option is set to true, Istio Operator, instead of webhooks, manages the - webhook configurations. When this option is set as false, webhooks manage their - own webhook configurations. - type: boolean - pilotCertProvider: - description: |- - Configure the Pilot certificate provider. - Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". - type: string - platform: - description: |- - Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" - An empty value means it is a vanilla Kubernetes distribution, therefore no special - treatment will be considered. - type: string - podDNSSearchNamespaces: - description: |- - Custom DNS config for the pod to resolve names of services in other - clusters. Use this to add additional search domains, and other settings. - see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - This does not apply to gateway pods as they typically need a different - set of DNS settings than the normal application pods (e.g. in multicluster scenarios). - items: - type: string - type: array - priorityClassName: - description: |- - Specifies the k8s priorityClassName for the istio control plane components. - - See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: string - proxy: - description: Specifies how proxies are configured within Istio. - properties: - autoInject: - description: Controls the 'policy' in the sidecar injector. - type: string - clusterDomain: - description: |- - Domain for the cluster, default: "cluster.local". - - K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ - type: string - componentLogLevel: - description: |- - Per Component log level for proxy, applies to gateways and sidecars. - - If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. - type: string - enableCoreDump: - description: |- - Enables core dumps for newly injected sidecars. - - If set, newly injected sidecars will have core dumps enabled. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: boolean - excludeIPRanges: - description: Lists the excluded IP ranges of Istio egress - traffic that the sidecar captures. - type: string - excludeInboundPorts: - description: Specifies the Istio ingress ports not to - capture. - type: string - excludeOutboundPorts: - description: A comma separated list of outbound ports - to be excluded from redirection to Envoy. - type: string - holdApplicationUntilProxyStarts: - description: |- - Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready - - Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: boolean - image: - description: |- - Image name or path for the proxy, default: "proxyv2". - - If registry or tag are not specified, global.hub and global.tag are used. - - Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 - type: string - includeIPRanges: - description: |- - Lists the IP ranges of Istio egress traffic that the sidecar captures. - - Example: "172.30.0.0/16,172.20.0.0/16" - This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar." - type: string - includeInboundPorts: - description: |- - A comma separated list of inbound ports for which traffic is to be redirected to Envoy. - The wildcard character '*' can be used to configure redirection for all ports. - type: string - includeOutboundPorts: - description: A comma separated list of outbound ports - for which traffic is to be redirected to Envoy, regardless - of the destination IP. - type: string - lifecycle: - description: |- - The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents the duration that - the container should sleep before being terminated. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for the backward compatibility. There are no validation of this field and - lifecycle hooks will fail in runtime when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents the duration that - the container should sleep before being terminated. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for the backward compatibility. There are no validation of this field and - lifecycle hooks will fail in runtime when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - logLevel: - description: 'Log level for proxy, applies to gateways - and sidecars. If left empty, "warning" is used. Expected - values are: trace\|debug\|info\|warning\|error\|critical\|off' - type: string - outlierLogPath: - description: |- - Path to the file to which the proxy will write outlier detection logs. - - Example: "/dev/stdout" - This would write the logs to standard output. - type: string - privileged: - description: |- - Enables privileged securityContext for the istio-proxy container. - - See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - type: boolean - readinessFailureThreshold: - description: Sets the number of successive failed probes - before indicating readiness failure. - format: int32 - type: integer - readinessInitialDelaySeconds: - description: Sets the initial delay for readiness probes - in seconds. - format: int32 - type: integer - readinessPeriodSeconds: - description: Sets the interval between readiness probes - in seconds. - format: int32 - type: integer - resources: - description: |- - K8s resources settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - startupProbe: - description: Configures the startup probe for the istio-proxy - container. - properties: - enabled: - description: |- - Enables or disables a startup probe. - For optimal startup times, changing this should be tied to the readiness probe values. - - If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - and doesn't spam the readiness endpoint too much - - If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - type: boolean - failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - format: int32 - type: integer - type: object - statusPort: - description: Default port used for the Pilot agent's health - checks. - format: int32 - type: integer - tracer: - description: |- - Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - enum: - - zipkin - - lightstep - - datadog - - stackdriver - - openCensusAgent - - none - type: string - type: object - proxy_init: - description: Specifies the Configuration for proxy_init container - which sets the pods' networking to intercept the inbound/outbound - traffic. - properties: - image: - description: Specifies the image for the proxy_init container. - type: string - resources: - description: |- - K8s resources settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - remotePilotAddress: - description: Specifies the Istio control plane’s pilot Pod - IP address or remote cluster DNS resolvable hostname. - type: string - revision: - description: Configures the revision this control plane is - a part of - type: string - sds: - description: Specifies the Configuration for the SecretDiscoveryService - instead of using K8S secrets to mount the certificates. - properties: - token: - description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' - properties: - aud: - type: string - type: object - type: object - sts: - description: Specifies the configuration for Security Token - Service. - properties: - servicePort: - format: int32 - type: integer - type: object - tag: - description: Specifies the tag for the Istio docker images. - type: string - tracer: - description: Specifies the Configuration for each of the supported - tracers. - properties: - datadog: - description: Configuration for the datadog tracing service. - properties: - address: - description: Address in host:port format for reporting - trace data to the Datadog agent. - type: string - type: object - lightstep: - description: Configuration for the lightstep tracing service. - properties: - accessToken: - description: Sets the lightstep access token. - type: string - address: - description: Sets the lightstep satellite pool address - in host:port format for reporting trace data. - type: string - type: object - stackdriver: - description: Configuration for the stackdriver tracing - service. - properties: - debug: - description: enables trace output to stdout. - type: boolean - maxNumberOfAnnotations: - description: The global default max number of annotation - events per span. - format: int32 - type: integer - maxNumberOfAttributes: - description: The global default max number of attributes - per span. - format: int32 - type: integer - maxNumberOfMessageEvents: - description: The global default max number of message - events per span. - format: int32 - type: integer - type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. - - Example: .:941 - type: string - type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: - affinity: - description: |- - K8s affinity settings for waypoint pods. - - See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - properties: - nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector - requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in - the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector - requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules - (e.g. co-locate this pod in the same node, zone, - etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched - WeightedPodAffinityTerm fields are added per-node - to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the same node, - zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched - WeightedPodAffinityTerm fields are added per-node - to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - nodeSelector: - description: |- - K8s node labels settings. - - See https://kubernetes.io/docs/user-guide/node-selection/ - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - resources: - description: |- - K8s resource settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - toleration: - description: |- - K8s tolerations settings. - - See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: |- - K8s topology spread constraints settings. - - See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - items: - description: TopologySpreadConstraint specifies how - to spread matching pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - type: object - istiodRemote: - description: |- - Configuration for istiod-remote. - DEPRECATED - istiod-remote chart is removed and replaced with - `istio-discovery --set values.istiodRemote.enabled=true` - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - enabled: - description: Indicates if this cluster/install should consume - a "remote" istiod instance, - type: boolean - injectionCABundle: - description: injector ca bundle - type: string - injectionPath: - description: Path to use for the sidecar injector webhook - service. - type: string - injectionURL: - description: URL to use for sidecar injector webhook. - type: string - type: object - meshConfig: - description: |- - Defines runtime configuration of components, including Istiod and istio-agent behavior. - See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. - properties: - accessLogEncoding: - description: |- - Encoding for the proxy access log (`TEXT` or `JSON`). - Default value is `TEXT`. - enum: - - TEXT - - JSON - type: string - accessLogFile: - description: |- - File address for the proxy access log (e.g. /dev/stdout). - Empty value disables access logging. - type: string - accessLogFormat: - description: |- - Format for the proxy access log - Empty value results in proxy's default access log format - type: string - ca: - description: |- - If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA - using the Istio CA gRPC API. - properties: - address: - description: |- - REQUIRED. Address of the CA server implementing the Istio CA gRPC API. - Can be IP address or a fully qualified DNS name with port - Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 - type: string - istiodSide: - description: |- - Use istiodSide to specify CA Server integrate to Istiod side or Agent side - Default: true - type: boolean - requestTimeout: - description: |- - timeout for forward CSR requests from Istiod to External CA - Default: 10s - type: string - tlsSettings: - description: |- - Use the tlsSettings to specify the tls mode to use. - Regarding tlsSettings: - - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. - DISABLE MODE can also be used for testing - - TLS MUTUAL MODE be on by default. If the CA certificates - (cert bundle to verify the CA server's certificate) is omitted, Istiod will - use the system root certs to verify the CA server's certificate. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - required: - - address - type: object - caCertificates: - description: |- - The extra root certificates for workload-to-workload communication. - The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) - are automatically added by Istiod. - The CA certificate that signs the workload certificates is automatically added by Istio Agent. - items: - properties: - certSigners: - description: |- - when Istiod is acting as RA(registration authority) - If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. - items: - type: string - type: array - pem: - description: The PEM data of the certificate. - type: string - spiffeBundleUrl: - description: |- - The SPIFFE bundle endpoint URL that complies to: - https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle - The endpoint should support authentication based on Web PKI: - https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki - The certificate is retrieved from the endpoint. - type: string - trustDomains: - description: |- - Optional. Specify the list of trust domains to which this trustAnchor data belongs. - If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain - and its aliases. - Note that we can have multiple trustAnchor data for a same trustDomain. - In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. - If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. - If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. - If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. - items: - type: string - type: array - type: object - x-kubernetes-validations: - - message: At most one of [pem spiffeBundleUrl] should be - set - rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0) - <= 1 - type: array - certificates: - description: |- - Configure the provision of certificates. - - Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - items: - description: "Certificate configures the provision of a - certificate and its key.\nExample 1: key and cert stored - in a secret\n```\n{ secretName: galley-cert\n\n\t secretNamespace: - istio-system\n\t dnsNames:\n\t - galley.istio-system.svc\n\t - \ - galley.mydomain.com\n\t}\n\n```\nExample 2: key - and cert stored in a directory\n```\n{ dnsNames:\n - - pilot.istio-system\n - pilot.istio-system.svc\n - pilot.mydomain.com\n - \ }\n\n```" - properties: - dnsNames: - description: |- - The DNS names for the certificate. A certificate may contain - multiple DNS names. - items: - type: string - type: array - secretName: - description: |- - Name of the secret the certificate and its key will be stored into. - If it is empty, it will not be stored into a secret. - Instead, the certificate and its key will be stored into a hard-coded directory. - type: string - type: object - type: array - configSources: - description: |- - ConfigSource describes a source of configuration data for networking - rules, and other Istio configuration artifacts. Multiple data sources - can be configured for a single control plane. - items: - description: |- - ConfigSource describes information about a configuration store inside a - mesh. A single control plane instance can interact with one or more data - sources. - properties: - address: - description: |- - Address of the server implementing the Istio Mesh Configuration - protocol (MCP). Can be IP address or a fully qualified DNS name. - Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or - fs:/// to specify a file-based backend with absolute path to the directory. - type: string - subscribedResources: - description: Describes the source of configuration, - if nothing is specified default is MCP - items: - description: Resource describes the source of configuration - enum: - - SERVICE_REGISTRY - type: string - type: array - tlsSettings: - description: |- - Use the tlsSettings to specify the tls mode to use. If the MCP server - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - type: object - type: array - connectTimeout: - description: |- - Connection timeout used by Envoy. (MUST BE >=1ms) - Default timeout is 10s. - type: string - defaultConfig: - description: |- - Default proxy config used by gateway and sidecars. - In case of Kubernetes, the proxy config is applied once during the injection process, - and remain constant for the duration of the pod. The rest of the mesh config can be changed - at runtime and config gets distributed dynamically. - On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation. - properties: - availabilityZone: - description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' - type: string - binaryPath: - description: Path to the proxy binary - type: string - caCertificatesPem: - description: |- - The PEM data of the extra root certificates for workload-to-workload communication. - This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. - The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) - are added automatically by Istiod. - items: - type: string - type: array - concurrency: - description: |- - The number of worker threads to run. - If unset, which is recommended, this will be automatically determined based on CPU requests/limits. - If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance - issues if CPU limits are also set. - format: int32 - type: integer - configPath: - description: |- - Path to the generated configuration file directory. - Proxy agent generates the actual configuration and stores it in this directory. - type: string - controlPlaneAuthPolicy: - description: |- - AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. - Default is set to `MUTUAL_TLS`. - enum: - - NONE - - MUTUAL_TLS - - INHERIT - type: string - customConfigFile: - description: |- - File path of custom proxy configuration, currently used by proxies - in front of Mixer and Pilot. - type: string - discoveryAddress: - description: |- - Address of the discovery service exposing xDS with mTLS connection. - The inject configuration may override this value. - type: string - discoveryRefreshDelay: - description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' - type: string - drainDuration: - description: |- - restart. MUST be >=1s (e.g., _1s/1m/1h_) - Default drain duration is `45s`. - type: string - envoyAccessLogService: - description: |- - Address of the service to which access logs from Envoys should be - sent. (e.g. `accesslog-service:15000`). See [Access Log - Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto) - for details about Envoy's gRPC Access Log Service API. - properties: - address: - description: |- - Address of a remove service used for various purposes (access log - receiver, metrics receiver, etc.). Can be IP address or a fully - qualified DNS name. - type: string - tcpKeepalive: - description: If set then set `SO_KEEPALIVE` on the - socket to enable TCP Keepalives. - properties: - interval: - description: |- - The time duration between keep-alive probes. - Default is to use the OS level configuration - (unless overridden, Linux defaults to 75s.) - type: string - probes: - description: |- - Maximum number of keepalive probes to send without response before - deciding the connection is dead. Default is to use the OS level configuration - (unless overridden, Linux defaults to 9.) - format: int32 - type: integer - time: - description: |- - The time duration a connection needs to be idle before keep-alive - probes start being sent. Default is to use the OS level configuration - (unless overridden, Linux defaults to 7200s (ie 2 hours.) - type: string - type: object - tlsSettings: - description: |- - Use the `tlsSettings` to specify the tls mode to use. If the remote service - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - type: object - envoyMetricsService: - description: |- - Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`). - See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) - for details about Envoy's Metrics Service API. - properties: - address: - description: |- - Address of a remove service used for various purposes (access log - receiver, metrics receiver, etc.). Can be IP address or a fully - qualified DNS name. - type: string - tcpKeepalive: - description: If set then set `SO_KEEPALIVE` on the - socket to enable TCP Keepalives. - properties: - interval: - description: |- - The time duration between keep-alive probes. - Default is to use the OS level configuration - (unless overridden, Linux defaults to 75s.) - type: string - probes: - description: |- - Maximum number of keepalive probes to send without response before - deciding the connection is dead. Default is to use the OS level configuration - (unless overridden, Linux defaults to 9.) - format: int32 - type: integer - time: - description: |- - The time duration a connection needs to be idle before keep-alive - probes start being sent. Default is to use the OS level configuration - (unless overridden, Linux defaults to 7200s (ie 2 hours.) - type: string - type: object - tlsSettings: - description: |- - Use the `tlsSettings` to specify the tls mode to use. If the remote service - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - type: object - envoyMetricsServiceAddress: - description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' - type: string - extraStatTags: - description: |- - An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be - added by configuring the telemetry extension. Each additional tag needs to be present in this list. - Extra tags emitted by the telemetry extensions must be listed here so that they can be processed - and exposed as Prometheus metrics. - Deprecated: `istio.stats` is a native filter now, this field is no longer needed. - items: - type: string - type: array - gatewayTopology: - description: |- - Topology encapsulates the configuration which describes where the proxy is - located i.e. behind a (or N) trusted proxy (proxies) or directly exposed - to the internet. This configuration only effects gateways and is applied - to all the gateways in the cluster unless overridden via annotations of the - gateway workloads. - properties: - forwardClientCertDetails: - description: |- - Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) - header in the incoming request. - enum: - - UNDEFINED - - SANITIZE - - FORWARD_ONLY - - APPEND_FORWARD - - SANITIZE_SET - - ALWAYS_FORWARD_ONLY - type: string - numTrustedProxies: - description: |- - Number of trusted proxies deployed in front of the Istio gateway proxy. - When this option is set to value N greater than zero, the trusted client - address is assumed to be the Nth address from the right end of the - X-Forwarded-For (XFF) header from the incoming request. If the - X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the - gateway proxy falls back to using the immediate downstream connection's - source address as the trusted client address. - Note that the gateway proxy will append the downstream connection's source - address to the X-Forwarded-For (XFF) address and set the - X-Envoy-External-Address header to the trusted client address before - forwarding it to the upstream services in the cluster. - The default value of numTrustedProxies is 0. - See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) - header handling for more details. - format: int32 - type: integer - proxyProtocol: - description: |- - Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for - downstream connections on a gateway. - type: object - type: object - holdApplicationUntilProxyStarts: - description: |- - Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. - This feature adds hooks to delay application startup until the pod proxy - is ready to accept traffic, mitigating some startup race conditions. - Default value is 'false'. - type: boolean - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: |- - The image type of the image. - Istio publishes default, debug, and distroless images. - Other values are allowed if those image types (example: centos) are published to the specified hub. - supported values: default, debug, distroless. - type: string - type: object - interceptionMode: - description: The mode used to redirect inbound traffic - to Envoy. - enum: - - REDIRECT - - TPROXY - - NONE - type: string - meshId: - description: |- - The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) - All control planes running in the same service mesh should specify the same mesh ID. - Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. - type: string - privateKeyProvider: - description: Specifies the details of the Private Key - Provider configuration for gateway and sidecar proxies. - properties: - cryptomb: - description: Use CryptoMb private key provider - properties: - fallback: - description: |- - If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) - Envoy will fallback to the BoringSSL default implementation when the fallback is true. - The default value is false. - type: boolean - pollDelay: - description: |- - How long to wait until the per-thread processing queue should be processed. If the processing queue - gets full (eight sign or decrypt requests are received) it is processed immediately. - However, if the queue is not filled before the delay has expired, the requests already in the queue - are processed, even if the queue is not full. - In effect, this value controls the balance between latency and throughput. - The duration needs to be set to a value greater than or equal to 1 millisecond. - type: string - type: object - qat: - description: Use QAT private key provider - properties: - fallback: - description: |- - If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) - Envoy will fallback to the BoringSSL default implementation when the fallback is true. - The default value is false. - type: boolean - pollDelay: - description: |- - How long to wait before polling the hardware accelerator after a request has been submitted there. - Having a small value leads to quicker answers from the hardware but causes more polling loop spins, - leading to potentially larger CPU usage. - The duration needs to be set to a value greater than or equal to 1 millisecond. - type: string - type: object - type: object - x-kubernetes-validations: - - message: At most one of [cryptomb qat] should be set - rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0) - <= 1 - proxyAdminPort: - description: |- - Port on which Envoy should listen for administrative commands. - Default port is `15000`. - format: int32 - type: integer - proxyBootstrapTemplatePath: - description: Path to the proxy bootstrap template file - type: string - proxyHeaders: - description: "Define the set of headers to add/modify - for HTTP request/responses.\n\nTo enable an optional - header, simply set the field. If no specific configuration - is required, an empty object (`{}`) will enable it.\nNote: - currently all headers are enabled by default.\n\nBelow - shows an example of customizing the `server` header - and disabling the `X-Envoy-Attempt-Count` header:\n\n```yaml\nproxyHeaders:\n\n\tserver:\n\t - \ value: \"my-custom-server\"\n\trequestId: {} // Explicitly - enable Request IDs. As this is the default, this has - no effect.\n\tattemptCount:\n\t disabled: true\n\n```\n\nSome - headers are enabled by default, and require explicitly - disabling. See below for an example of disabling all - default-enabled headers:\n\n```yaml\nproxyHeaders:\n\n\tforwardedClientCert: - SANITIZE\n\tserver:\n\t disabled: true\n\trequestId:\n\t - \ disabled: true\n\tattemptCount:\n\t disabled: true\n\tenvoyDebugHeaders:\n\t - \ disabled: true\n\tmetadataExchangeHeaders:\n\t mode: - IN_MESH\n\n```" - properties: - attemptCount: - description: |- - Controls the `X-Envoy-Attempt-Count` header. - If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. - If disabled, this header will not be set. If it is already present, it will be preserved. - This header is enabled by default if not configured. - properties: - disabled: - type: boolean - type: object - envoyDebugHeaders: - description: |- - Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled, - these headers will be included. - If disabled, these headers will not be set. If they are already present, they will be preserved. - See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details. - These headers are enabled by default if not configured. - properties: - disabled: - type: boolean - type: object - forwardedClientCert: - description: |- - Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. - To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). - By default, `APPEND_FORWARD` will be used. - enum: - - UNDEFINED - - SANITIZE - - FORWARD_ONLY - - APPEND_FORWARD - - SANITIZE_SET - - ALWAYS_FORWARD_ONLY - type: string - metadataExchangeHeaders: - description: |- - Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`. - By default, the behavior is unspecified. - If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh. - properties: - mode: - enum: - - UNDEFINED - - IN_MESH - type: string - type: object - requestId: - description: |- - Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. - This applies to all types of traffic (inbound, outbound, and gateways). - If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. - Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. - This header is enabled by default if not configured. - properties: - disabled: - type: boolean - type: object - server: - description: |- - Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). - If disabled, the `Server` header is not modified. If it is already present, it will be preserved. - properties: - disabled: - type: boolean - value: - description: If set, and the server header is - enabled, this value will be set as the server - header. By default, `istio-envoy` will be used. - type: string - type: object - setCurrentClientCertDetails: - description: |- - This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET - and the client connection is mTLS. It specifies the fields in - the client certificate to be forwarded. Note that `Hash` is always set, and - `By` is always set when the client certificate presents the URI type Subject Alternative Name value. - properties: - cert: - description: |- - Whether to forward the entire client cert in URL encoded PEM format. This will appear in the - XFCC header comma separated from other values with the value Cert="PEM". - Defaults to false. - type: boolean - chain: - description: |- - Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM - format. This will appear in the XFCC header comma separated from other values with the value - Chain="PEM". - Defaults to false. - type: boolean - dns: - description: |- - Whether to forward the DNS type Subject Alternative Names of the client cert. - Defaults to true. - type: boolean - subject: - description: Whether to forward the subject of - the client cert. Defaults to true. - type: boolean - uri: - description: |- - Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to - true. - type: boolean - type: object - type: object - proxyMetadata: - additionalProperties: - type: string - description: |- - Additional environment variables for the proxy. - Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server. - type: object - proxyStatsMatcher: - description: "Proxy stats matcher defines configuration - for reporting custom Envoy stats.\nTo reduce memory - and CPU overhead from Envoy stats system, Istio proxies - by\ndefault create and expose only a subset of Envoy - stats. This option is to\ncontrol creation of additional - Envoy stats with prefix, suffix, and regex\nexpressions - match on the name of the stats. This replaces the stats\ninclusion - annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`, - and\n`sidecar.istio.io/statsInclusionSuffixes`). For - example, to enable stats\nfor circuit breakers, request - retries, upstream connections, and request timeouts,\nyou - can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\tinclusionRegexps:\n\t - \ - .*outlier_detection.*\n\t - .*upstream_rq_retry.*\n\t - \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t - upstream_rq_timeout\n\n```\nNote - including more Envoy stats might increase number of - time series\ncollected by prometheus significantly. - Care needs to be taken on Prometheus\nresource provision - and configuration to reduce cardinality." - properties: - inclusionPrefixes: - description: Proxy stats name prefix matcher for inclusion. - items: - type: string - type: array - inclusionRegexps: - description: Proxy stats name regexps matcher for - inclusion. - items: - type: string - type: array - inclusionSuffixes: - description: Proxy stats name suffix matcher for inclusion. - items: - type: string - type: array - type: object - readinessProbe: - description: |- - VM Health Checking readiness probe. This health check config exactly mirrors the - kubernetes readiness probe configuration both in schema and logic. - Only one health check method of 3 can be set at a time. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a - GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - runtimeValues: - additionalProperties: - type: string - description: |- - Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. - This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution. - type: object - sds: - description: |- - Secret Discovery Service(SDS) configuration to be used by the proxy. - - Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. - properties: - enabled: - description: True if SDS is enabled. - type: boolean - k8sSaJwtPath: - description: Path of k8s service account JWT path. - type: string - type: object - serviceCluster: - description: |- - Service cluster defines the name for the `service_cluster` that is - shared by all Envoy instances. This setting corresponds to - `--service-cluster` flag in Envoy. In a typical Envoy deployment, the - `service-cluster` flag is used to identify the caller, for - source-based routing scenarios. - - Since Istio does not assign a local `service/service` version to each - Envoy instance, the name is same for all of them. However, the - source/caller's identity (e.g., IP address) is encoded in the - `--service-node` flag when launching Envoy. When the RDS service - receives API calls from Envoy, it uses the value of the `service-node` - flag to compute routes that are relative to the service instances - located at that IP address. - type: string - statNameLength: - description: |- - Maximum length of name field in Envoy's metrics. The length of the name field - is determined by the length of a name field in a service and the set of labels that - comprise a particular version of the service. The default value is set to 189 characters. - Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. - Increase the value of this field if you find that the metrics from Envoys are truncated. - format: int32 - type: integer - statsdUdpAddress: - description: IP Address and Port of a statsd UDP listener - (e.g. `10.75.241.127:9125`). - type: string - statusPort: - description: |- - Port on which the agent should listen for administrative commands such as readiness probe. - Default is set to port `15020`. - format: int32 - type: integer - terminationDrainDuration: - description: |- - The amount of time allowed for connections to complete on proxy shutdown. - On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, - discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. - If not set, a default of `5s` will be applied. - type: string - tracing: - description: Tracing configuration to be used by the proxy. - properties: - customTags: - additionalProperties: - description: |- - Configure custom tags that will be added to any active span. - Tags can be generated via literals, environment variables or an incoming request header. - properties: - environment: - description: |- - The custom tag's value should be populated from an environmental - variable - properties: - defaultValue: - description: |- - When the environment variable is not found, - the tag's value will be populated with this default value if specified, - otherwise the tag will not be populated. - type: string - name: - description: Name of the environment variable - used to populate the tag's value - type: string - type: object - header: - description: |- - The custom tag's value is populated by an http header from - an incoming request. - properties: - defaultValue: - description: |- - Default value to be used for the tag when the named HTTP header does not exist. - The tag will be skipped if no default value is provided. - type: string - name: - description: HTTP header name used to obtain - the value from to populate the tag value. - type: string - type: object - literal: - description: The custom tag's value is the specified - literal. - properties: - value: - description: Static literal value used to - populate the tag value. - type: string - type: object - type: object - x-kubernetes-validations: - - message: At most one of [literal environment header] - should be set - rule: (has(self.literal)?1:0) + (has(self.environment)?1:0) - + (has(self.header)?1:0) <= 1 - description: "and gateways).\nThe key represents the - name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\tnew_tag_name:\n\t - \ header:\n\t name: custom-http-header-name\n\t - \ default_value: defaulted-value-from-custom-header\n\n```" - type: object - datadog: - description: Use a Datadog tracer. - properties: - address: - description: Address of the Datadog Agent. - type: string - type: object - lightstep: - description: |- - Use a Lightstep tracer. - NOTE: For Istio 1.15+, this configuration option will result - in using OpenTelemetry-based Lightstep integration. - properties: - accessToken: - description: The Lightstep access token. - type: string - address: - description: Address of the Lightstep Satellite - pool. - type: string - type: object - maxPathTagLength: - description: |- - Configures the maximum length of the request path to extract and include in the - HttpUrl tag. Used to truncate length request paths to meet the needs of tracing - backend. If not set, then a length of 256 will be used. - format: int32 - type: integer - openCensusAgent: - description: Use an OpenCensus tracer exporting to - an OpenCensus agent. - properties: - address: - description: |- - gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or - unix:path). See [gRPC naming - docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for - details. - type: string - context: - description: |- - Specifies the set of context propagation headers used for distributed - tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, - the proxy will attempt to read each header for each request and will - write all headers. - items: - description: |- - TraceContext selects the context propagation headers used for - distributed tracing. - enum: - - UNSPECIFIED - - W3C_TRACE_CONTEXT - - GRPC_BIN - - CLOUD_TRACE_CONTEXT - - B3 - type: string - type: array - type: object - sampling: - description: |- - The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, - if not requested by the client or not forced. Default is 1.0. - type: number - stackdriver: - description: Use a Stackdriver tracer. - properties: - debug: - description: debug enables trace output to stdout. - type: boolean - maxNumberOfAnnotations: - description: |- - The global default max number of annotation events per span. - default is 200. - format: int64 - type: integer - maxNumberOfAttributes: - description: |- - The global default max number of attributes per span. - default is 200. - format: int64 - type: integer - maxNumberOfMessageEvents: - description: |- - The global default max number of message events per span. - default is 200. - format: int64 - type: integer - type: object - tlsSettings: - description: |- - Use the tlsSettings to specify the tls mode to use. If the remote tracing service - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - zipkin: - description: Use a Zipkin tracer. - properties: - address: - description: Address of the Zipkin service (e.g. - _zipkin:9411_). - type: string - type: object - type: object - x-kubernetes-validations: - - message: At most one of [zipkin lightstep datadog stackdriver - openCensusAgent] should be set - rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) - + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) - + (has(self.openCensusAgent)?1:0) <= 1 - tracingServiceName: - description: |- - Used by Envoy proxies to assign the values for the service names in trace - spans. - enum: - - APP_LABEL_AND_NAMESPACE - - CANONICAL_NAME_ONLY - - CANONICAL_NAME_AND_NAMESPACE - type: string - zipkinAddress: - description: |- - Address of the Zipkin service (e.g. _zipkin:9411_). - DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead. - - Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. - type: string - type: object - x-kubernetes-validations: - - message: At most one of [serviceCluster tracingServiceName] - should be set - rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0) - <= 1 - defaultDestinationRuleExportTo: - description: |- - The default value for the `DestinationRule.exportTo` field. Has the same - syntax as `defaultServiceExportTo`. - - If not set the system will use "*" as the default value which implies that - destination rules are exported to all namespaces - items: - type: string - type: array - defaultHttpRetryPolicy: - description: "Configure the default HTTP retry policy.\nThe - default number of retry attempts is set at 2 for these errors:\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\nSetting - the number of attempts to 0 disables retry policy globally.\nThis - setting can be overridden on a per-host basis using the - Virtual Service\nAPI.\nAll settings in the retry policy - except `perTryTimeout` can currently be\nconfigured globally - via this field." - properties: - attempts: - description: |- - Number of retries to be allowed for a given request. The interval - between retries will be determined automatically (25ms+). When request - `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) - or `per_try_timeout` is configured, the actual number of retries attempted also depends on - the specified request `timeout` and `per_try_timeout` values. MUST BE >= 0. If `0`, retries will be disabled. - The maximum possible number of requests made will be 1 + `attempts`. - format: int32 - type: integer - perTryTimeout: - description: |- - Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms. - Default is same value as request - `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), - which means no timeout. - type: string - retryOn: - description: |- - Specifies the conditions under which retry takes place. - One or more policies can be specified using a ‘,’ delimited list. - See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) - and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details. - - In addition to the policies specified above, a list of HTTP status codes can be passed, such as `retryOn: "503,reset"`. - Note these status codes refer to the actual responses received from the destination. - For example, if a connection is reset, Istio will translate this to 503 for it's response. - However, the destination did not return a 503 error, so this would not match `"503"` (it would, however, match `"reset"`). - - If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled,503`. - type: string - retryRemoteLocalities: - description: |- - Flag to specify whether the retries should retry to other localities. - See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details. - type: boolean - type: object - defaultProviders: - description: Specifies extension providers to use by default - in Istio configuration resources. - properties: - accessLogging: - description: Name of the default provider(s) for access - logging. - items: - type: string - type: array - metrics: - description: Name of the default provider(s) for metrics. - items: - type: string - type: array - tracing: - description: Name of the default provider(s) for tracing. - items: - type: string - type: array - type: object - defaultServiceExportTo: - description: |- - The default value for the ServiceEntry.exportTo field and services - imported through container registry integrations, e.g. this applies to - Kubernetes Service resources. The value is a list of namespace names and - reserved namespace aliases. The allowed namespace aliases are: - ``` - * - All Namespaces - . - Current Namespace - ~ - No Namespace - ``` - If not set the system will use "*" as the default value which implies that - services are exported to all namespaces. - - `All namespaces` is a reasonable default for implementations that don't - need to restrict access or visibility of services across namespace - boundaries. If that requirement is present it is generally good practice to - make the default `Current namespace` so that services are only visible - within their own namespaces by default. Operators can then expand the - visibility of services to other namespaces as needed. Use of `No Namespace` - is expected to be rare but can have utility for deployments where - dependency management needs to be precise even within the scope of a single - namespace. - - For further discussion see the reference documentation for `ServiceEntry`, - `Sidecar`, and `Gateway`. - items: - type: string - type: array - defaultVirtualServiceExportTo: - description: |- - The default value for the VirtualService.exportTo field. Has the same - syntax as `defaultServiceExportTo`. - - If not set the system will use "*" as the default value which implies that - virtual services are exported to all namespaces - items: - type: string - type: array - disableEnvoyListenerLog: - description: |- - This flag disables Envoy Listener logs. - See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) - Istio Enables Envoy's listener access logs on "NoRoute" response flag. - Default value is `false`. - type: boolean - discoverySelectors: - description: |- - A list of Kubernetes selectors that specify the set of namespaces that Istio considers when - computing configuration updates for sidecars. This can be used to reduce Istio's computational load - by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. - If omitted, Istio will use the default behavior of processing all namespaces in the cluster. - Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. - The following example selects any namespace that matches either below: - 1. The namespace has both of these labels: `env: prod` and `region: us-east1` - 2. The namespace has label `app` equal to `cassandra` or `spark`. - ```yaml - discoverySelectors: - - matchLabels: - env: prod - region: us-east1 - - matchExpressions: - - key: app - operator: In - values: - - cassandra - - spark - - ``` - Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) - for additional detail on selector semantics. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - dnsRefreshRate: - description: |- - Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` - Default refresh rate is `60s`. - type: string - enableAutoMtls: - description: |- - This flag is used to enable mutual `TLS` automatically for service to service communication - within the mesh, default true. - If set to true, and a given service does not have a corresponding `DestinationRule` configured, - or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side - TLS configuration appropriately. More specifically, - If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate - for mutual `TLS` to connect to upstream. - If upstream service is in plain text mode, use plain text. - If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use - mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. - If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. - type: boolean - enableEnvoyAccessLogService: - description: |- - This flag enables Envoy's gRPC Access Log Service. - See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) - for details about Envoy's gRPC Access Log Service API. - Default value is `false`. - type: boolean - enablePrometheusMerge: - description: |- - If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy - and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod - and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. - This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and - `prometheus.io/path` annotations. - If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. - In this case, it is recommended to disable aggregation on that deployment with the - `prometheus.istio.io/merge-metrics: "false"` annotation. - If not specified, this will be enabled by default. - type: boolean - enableTracing: - description: |- - Flag to control generation of trace spans and request IDs. - Requires a trace span collector defined in the proxy configuration. - type: boolean - extensionProviders: - description: |- - Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy - can be used with an extension provider to delegate the authorization decision to a custom authorization system. - items: - properties: - datadog: - description: Configures a Datadog tracing provider. - properties: - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the Datadog agent. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com". - type: string - required: - - port - - service - type: object - envoyExtAuthzGrpc: - description: Configures an external authorizer that - implements the Envoy ext_authz filter authorization - check service using the gRPC API. - properties: - failOpen: - description: |- - If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, - or if the authorization service has returned a HTTP 5xx error. - Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. - type: boolean - includeRequestBodyInCheck: - description: If set, the client request body will - be included in the authorization request sent - to the authorization service. - properties: - allowPartialMessage: - description: |- - When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. - The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. - A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message - indicating if the body data is partial. - type: boolean - maxRequestBytes: - description: |- - Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). - Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the - failOpen is set to true. - format: int32 - type: integer - packAsBytes: - description: |- - If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes - in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). - Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. - type: boolean - type: object - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". - type: string - statusOnError: - description: |- - Sets the HTTP status that is returned to the client when there is a network error to the authorization service. - The default status is "403" (HTTP Forbidden). - type: string - timeout: - description: |- - The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). - When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `failOpen` field. - type: string - required: - - port - - service - type: object - envoyExtAuthzHttp: - description: Configures an external authorizer that - implements the Envoy ext_authz filter authorization - check service using the HTTP API. - properties: - failOpen: - description: |- - If true, the user request will be allowed even if the communication with the authorization service has failed, - or if the authorization service has returned a HTTP 5xx error. - Default is false and the request will be rejected with "Forbidden" response. - type: boolean - headersToDownstreamOnAllow: - description: |- - List of headers from the authorization service that should be forwarded to downstream when the authorization - check result is allowed (HTTP code 200). - If not specified, the original response will not be modified and forwarded to downstream as-is. - Note, any existing headers will be overridden. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - headersToDownstreamOnDeny: - description: |- - List of headers from the authorization service that should be forwarded to downstream when the authorization - check result is not allowed (HTTP code other than 200). - If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to - the downstream. - When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are - automatically added. - Note, the body from the authorization service is always included in the response to downstream. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - headersToUpstreamOnAllow: - description: |- - List of headers from the authorization service that should be added or overridden in the original request and - forwarded to the upstream when the authorization check result is allowed (HTTP code 200). - If not specified, the original request will not be modified and forwarded to backend as-is. - Note, any existing headers will be overridden. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - includeAdditionalHeadersInCheck: - additionalProperties: - type: string - description: |- - Set of additional fixed headers that should be included in the authorization request sent to the authorization service. - Key is the header name and value is the header value. - Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. - type: object - includeHeadersInCheck: - description: |- - DEPRECATED. Use includeRequestHeadersInCheck instead. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - items: - type: string - type: array - includeRequestBodyInCheck: - description: If set, the client request body will - be included in the authorization request sent - to the authorization service. - properties: - allowPartialMessage: - description: |- - When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. - The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. - A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message - indicating if the body data is partial. - type: boolean - maxRequestBytes: - description: |- - Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). - Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the - failOpen is set to true. - format: int32 - type: integer - packAsBytes: - description: |- - If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes - in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). - Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. - type: boolean - type: object - includeRequestHeadersInCheck: - description: |- - List of client request headers that should be included in the authorization request sent to the authorization service. - Note that in addition to the headers specified here following headers are included by default: - 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. - 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), - consequently the value of Content-Length of the authorization request reflects the size of its payload size. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - pathPrefix: - description: |- - Sets a prefix to the value of authorization request header *Path*. - For example, setting this to "/check" for an original user request at path "/admin" will cause the - authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". - type: string - statusOnError: - description: |- - Sets the HTTP status that is returned to the client when there is a network error to the authorization service. - The default status is "403" (HTTP Forbidden). - type: string - timeout: - description: |- - The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). - When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `failOpen` field. - type: string - required: - - port - - service - type: object - envoyFileAccessLog: - description: Configures an Envoy File Access Log provider. - properties: - logFormat: - description: Optional. Allows overriding of the - default access log format. - properties: - labels: - additionalProperties: - type: string - description: "JSON structured format for the - envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan - be used as values for fields within the Struct. - Values are rendered\nas strings, numbers, - or boolean values, as appropriate\n(see: [format - dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). - Nested JSON is\nsupported for some command - operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse - `labels: {}` for default envoy JSON log format.\n\nExample:\n```\nlabels:\n\n\tstatus: - \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" - type: object - text: - description: |- - Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be - used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) - provides more information. - - NOTE: Istio will insert a newline ('\n') on all formats (if missing). - - Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` - type: string - type: object - x-kubernetes-validations: - - message: At most one of [text labels] should be - set - rule: (has(self.text)?1:0) + (has(self.labels)?1:0) - <= 1 - path: - description: |- - Path to a local file to write the access log entries. - This may be used to write to streams, via `/dev/stderr` and `/dev/stdout` - If unspecified, defaults to `/dev/stdout`. - type: string - type: object - envoyHttpAls: - description: Configures an Envoy Access Logging Service - provider for HTTP traffic. - properties: - additionalRequestHeadersToLog: - description: Optional. Additional request headers - to log. - items: - type: string - type: array - additionalResponseHeadersToLog: - description: Optional. Additional response headers - to log. - items: - type: string - type: array - additionalResponseTrailersToLog: - description: Optional. Additional response trailers - to log. - items: - type: string - type: array - filterStateObjectsToLog: - description: Optional. Additional filter state objects - to log. - items: - type: string - type: array - logName: - description: |- - Optional. The friendly name of the access log. - Defaults: - - "http_envoy_accesslog" - - "listener_envoy_accesslog" - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". - type: string - required: - - port - - service - type: object - envoyOtelAls: - description: Configures an Envoy Open Telemetry Access - Logging Service provider. - properties: - logFormat: - description: |- - Optional. Format for the proxy access log - Empty value results in proxy's default access log format, following Envoy access logging formatting. - properties: - labels: - additionalProperties: - type: string - description: "Optional. Additional attributes - that describe the specific event occurrence.\nStructured - format for the envoy access logs. Envoy [command - operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan - be used as values for fields within the Struct. - Values are rendered\nas strings, numbers, - or boolean values, as appropriate\n(see: [format - dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). - Nested JSON is\nsupported for some command - operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: - \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" - type: object - text: - description: |- - Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be - used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) - provides more information. - Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) - Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` - type: string - type: object - logName: - description: |- - Optional. The friendly name of the access log. - Defaults: - - "otel_envoy_accesslog" - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". - type: string - required: - - port - - service - type: object - envoyTcpAls: - description: Configures an Envoy Access Logging Service - provider for TCP traffic. - properties: - filterStateObjectsToLog: - description: Optional. Additional filter state objects - to log. - items: - type: string - type: array - logName: - description: |- - Optional. The friendly name of the access log. - Defaults: - - "tcp_envoy_accesslog" - - "listener_envoy_accesslog" - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". - type: string - required: - - port - - service - type: object - lightstep: - description: |- - Configures a Lightstep tracing provider. - Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027 - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - properties: - accessToken: - description: The Lightstep access token. - type: string - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the Lightstep collector. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com". - type: string - required: - - port - - service - type: object - name: - description: REQUIRED. A unique name identifying the - extension provider. - type: string - opencensus: - description: |- - Configures an OpenCensusAgent tracing provider. - Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/ - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - properties: - context: - description: |- - Specifies the set of context propagation headers used for distributed - tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, - the proxy will attempt to read each header for each request and will - write all headers. - items: - description: |- - TraceContext selects the context propagation headers used for - distributed tracing. - enum: - - UNSPECIFIED - - W3C_TRACE_CONTEXT - - GRPC_BIN - - CLOUD_TRACE_CONTEXT - - B3 - type: string - type: array - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the OpenCensusAgent. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com". - type: string - required: - - port - - service - type: object - opentelemetry: - description: Configures an OpenTelemetry tracing provider. - properties: - dynatraceSampler: - description: |- - The Dynatrace adaptive traffic management (ATM) sampler. - - Example configuration: - - ```yaml - - name: otel-tracing - opentelemetry: - port: 443 - service: "{your-environment-id}.live.dynatrace.com" - http: - path: "/api/v2/otlp/v1/traces" - timeout: 10s - headers: - - name: "Authorization" - value: "Api-Token dt0c01." - resourceDetectors: - dynatrace: {} - dynatraceSampler: - tenant: "{your-environment-id}" - clusterId: 1234 - properties: - clusterId: - description: |- - REQUIRED. The identifier of the cluster in the Dynatrace platform. - The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy. - - The value can be obtained from the Istio deployment page in Dynatrace. - format: int32 - type: integer - httpService: - description: |- - Optional. Dynatrace HTTP API to obtain sampling configuration. - - When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter - (`service`, `port` and `http`), including the access token. - properties: - http: - description: REQUIRED. Specifies sampling - configuration URI. - properties: - headers: - description: |- - Optional. Allows specifying custom HTTP headers that will be added - to each HTTP request sent. - items: - properties: - name: - description: REQUIRED. The HTTP - header name. - type: string - value: - description: REQUIRED. The HTTP - header value. - type: string - required: - - name - - value - type: object - type: array - path: - description: REQUIRED. Specifies the - path on the service. - type: string - timeout: - description: |- - Optional. Specifies the timeout for the HTTP request. - If not specified, the default is 3s. - type: string - required: - - path - type: object - port: - description: REQUIRED. Specifies the port - of the service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. - The format is ``, where `` is the fully qualified Dynatrace environment - host name defined in the ServiceEntry. - - Example: "{your-environment-id}.live.dynatrace.com". - type: string - required: - - http - - port - - service - type: object - rootSpansPerMinute: - description: |- - Optional. Number of sampled spans per minute to be used - when the adaptive value cannot be obtained from the Dynatrace API. - - A default value of `1000` is used when: - - - `rootSpansPerMinute` is unset - - `rootSpansPerMinute` is set to 0 - format: int32 - type: integer - tenant: - description: |- - REQUIRED. The Dynatrace customer's tenant identifier. - - The value can be obtained from the Istio deployment page in Dynatrace. - type: string - required: - - clusterId - - tenant - type: object - grpc: - description: "Optional. Specifies the configuration - for exporting OTLP traces via GRPC.\nWhen empty, - traces will check whether HTTP is set.\nIf not, - traces will use default GRPC configurations.\n\nThe - following example shows how to configure the OpenTelemetry - ExtensionProvider to export via GRPC:\n\n1. Add/change - the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n - \ - name: opentelemetry\n opentelemetry:\n - \ port: 8090\n service: tracing.example.com\n - \ grpc:\n timeout: 10s\n initialMetadata:\n - \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. - Deploy a `ServiceEntry` for the observability - back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: - ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- - tracing.example.com\n\tports:\n\t- number: 8090\n\t - \ name: grpc-port\n\t protocol: GRPC\n\tresolution: - DNS\n\tlocation: MESH_EXTERNAL\n\n```" - properties: - initialMetadata: - description: |- - Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for - scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to - be injected. - items: - properties: - name: - description: REQUIRED. The HTTP header - name. - type: string - value: - description: REQUIRED. The HTTP header - value. - type: string - required: - - name - - value - type: object - type: array - timeout: - description: Optional. Specifies the timeout - for the GRPC request. - type: string - type: object - http: - description: "Optional. Specifies the configuration - for exporting OTLP traces via HTTP.\nWhen empty, - traces will be exported via gRPC.\n\nThe following - example shows how to configure the OpenTelemetry - ExtensionProvider to export via HTTP:\n\n1. Add/change - the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n - \ - name: otel-tracing\n opentelemetry:\n port: - 443\n service: my.olly-backend.com\n http:\n - \ path: \"/api/otlp/traces\"\n timeout: 10s\n - \ headers:\n - name: \"my-custom-header\"\n - \ value: \"some value\"\n\n```\n\n2. Deploy - a `ServiceEntry` for the observability back-end\n```yaml\napiVersion: - networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\tname: - my-olly-backend\n\nspec:\n\n\thosts:\n\t- my.olly-backend.com\n\tports:\n\t- - number: 443\n\t name: https-port\n\t protocol: - HTTPS\n\tresolution: DNS\n\tlocation: MESH_EXTERNAL\n\n---\napiVersion: - networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\tname: - my-olly-backend\n\nspec:\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t - \ portLevelSettings:\n\t - port:\n\t number: - 443\n\t tls:\n\t mode: SIMPLE\n\n```" - properties: - headers: - description: |- - Optional. Allows specifying custom HTTP headers that will be added - to each HTTP request sent. - items: - properties: - name: - description: REQUIRED. The HTTP header - name. - type: string - value: - description: REQUIRED. The HTTP header - value. - type: string - required: - - name - - value - type: object - type: array - path: - description: REQUIRED. Specifies the path on - the service. - type: string - timeout: - description: |- - Optional. Specifies the timeout for the HTTP request. - If not specified, the default is 3s. - type: string - required: - - path - type: object - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - resourceDetectors: - description: |- - Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) - to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged - according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). - - The following example shows how to configure the Environment Resource Detector, that will - read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: - - ```yaml - - name: otel-tracing - opentelemetry: - port: 443 - service: my.olly-backend.com - resourceDetectors: - environment: {} - - ``` - properties: - dynatrace: - description: |- - Dynatrace Resource Detector. - The resource detector reads from the Dynatrace enrichment files - and adds host/process related attributes to the OpenTelemetry resource. - - See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files) - type: object - environment: - description: |- - OpenTelemetry Environment Resource Detector. - The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES` - and adds them to the OpenTelemetry resource. - - See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable) - type: object - type: object - service: - description: |- - REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". - type: string - required: - - port - - service - type: object - x-kubernetes-validations: - - message: At most one of [dynatraceSampler] should - be set - rule: (has(self.dynatraceSampler)?1:0) <= 1 - prometheus: - description: Configures a Prometheus metrics provider. - type: object - skywalking: - description: Configures a Apache SkyWalking provider. - properties: - accessToken: - description: Optional. The SkyWalking OAP access - token. - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the SkyWalking receiver. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com". - type: string - required: - - port - - service - type: object - stackdriver: - description: Configures a Stackdriver provider. - properties: - debug: - description: |- - debug enables trace output to stdout. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - type: boolean - logging: - description: Optional. Controls Stackdriver logging - behavior. - properties: - labels: - additionalProperties: - type: string - description: "Collection of tag names and tag - expressions to include in the log\nentry. - Conflicts are resolved by the tag name by - overriding previously\nsupplied values.\n\nExample:\n\n\tlabels:\n\t - \ path: request.url_path\n\t foo: request.headers['x-foo']" - type: object - type: object - maxNumberOfAnnotations: - description: |- - The global default max number of annotation events per span. - default is 200. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - format: int64 - type: integer - maxNumberOfAttributes: - description: |- - The global default max number of attributes per span. - default is 200. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - format: int64 - type: integer - maxNumberOfMessageEvents: - description: |- - The global default max number of message events per span. - default is 200. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - format: int64 - type: integer - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - type: object - zipkin: - description: Configures a tracing provider that uses - the Zipkin API. - properties: - enable64bitTraceId: - description: |- - Optional. A 128 bit trace id will be used in Istio. - If true, will result in a 64 bit trace id being used. - type: boolean - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - path: - description: |- - Optional. Specifies the endpoint of Zipkin API. - The default value is "/api/v2/spans". - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that the Zipkin API. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". - type: string - required: - - port - - service - type: object - required: - - name - type: object - x-kubernetes-validations: - - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc - zipkin lightstep datadog stackdriver opencensus skywalking - opentelemetry prometheus envoyFileAccessLog envoyHttpAls - envoyTcpAls envoyOtelAls] should be set - rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) - + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) - + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) - + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) - + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) - + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) - + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) - <= 1 - maxItems: 1000 - type: array - h2UpgradePolicy: - description: |- - Specify if http1.1 connections should be upgraded to http2 by default. - if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`. - If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`. - It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override. - enum: - - DO_NOT_UPGRADE - - UPGRADE - type: string - inboundClusterStatName: - description: |- - Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for - network filters like TCP and Redis. - By default, Istio emits statistics with the pattern `inbound|||`. - For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. - - A Pattern can be composed of various pre-defined variables. The following variables are supported. - - - `%SERVICE%` - Will be substituted with short hostname of the service. - - `%SERVICE_NAME%` - Will be substituted with name of the service. - - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - - `%SERVICE_PORT%` - Will be substituted with port of the service. - - `%TARGET_PORT%` - Will be substituted with the target port of the service. - - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. - - Following are some examples of supported patterns for reviews: - - - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. - - `%SERVICE%` will use reviews.prod as the stats name. - type: string - inboundTrafficPolicy: - description: |- - Set the default behavior of the sidecar for handling inbound - traffic to the application. If your application listens on - localhost, you will need to set this to `LOCALHOST`. - properties: - mode: - enum: - - PASSTHROUGH - - LOCALHOST - type: string - type: object - ingressClass: - description: |- - Class of ingress resources to be processed by Istio ingress - controller. This corresponds to the value of - `kubernetes.io/ingress.class` annotation. - type: string - ingressControllerMode: - description: |- - Defines whether to use Istio ingress controller for annotated or all ingress resources. - Default mode is `STRICT`. - enum: - - UNSPECIFIED - - "OFF" - - DEFAULT - - STRICT - type: string - ingressSelector: - description: |- - Defines which gateway deployment to use as the Ingress controller. This field corresponds to - the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. - By default, `ingressgateway` is used, which will select the default IngressGateway as it has the - `istio: ingressgateway` labels. - It is recommended that this is the same value as ingressService. - type: string - ingressService: - description: |- - Name of the Kubernetes service used for the istio ingress controller. - If no ingress controller is specified, the default value `istio-ingressgateway` is used. - type: string - localityLbSetting: - description: |- - Locality based load balancing distribution or failover settings. - If unspecified, locality based load balancing will be enabled by default. - However, this requires outlierDetection to actually take effect for a particular - service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ - properties: - distribute: - description: |- - Optional: only one of distribute, failover or failoverPriority can be set. - Explicitly specify loadbalancing weight across different zones and geographical locations. - Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) - If empty, the locality weight is set according to the endpoints number within it. - items: - description: |- - Describes how traffic originating in the 'from' zone or sub-zone is - distributed over a set of 'to' zones. Syntax for specifying a zone is - {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any - segment of the specification. Examples: - - `*` - matches all localities - - `us-west/*` - all zones and sub-zones within the us-west region - - `us-west/zone-1/*` - all sub-zones within us-west/zone-1 - properties: - from: - description: Originating locality, '/' separated, - e.g. 'region/zone/sub_zone'. - type: string - to: - additionalProperties: - format: int32 - type: integer - description: |- - Map of upstream localities to traffic distribution weights. The sum of - all weights should be 100. Any locality not present will - receive no traffic. - type: object - type: object - type: array - enabled: - description: |- - enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is. - type: boolean - failover: - description: |- - Optional: only one of distribute, failover or failoverPriority can be set. - Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. - Should be used together with OutlierDetection to detect unhealthy endpoints. - Note: if no OutlierDetection specified, this will not take effect. - items: - description: |- - Specify the traffic failover policy across regions. Since zone and sub-zone - failover is supported by default this only needs to be specified for - regions when the operator needs to constrain traffic failover so that - the default behavior of failing over to any endpoint globally does not - apply. This is useful when failing over traffic across regions would not - improve service health or may need to be restricted for other reasons - like regulatory controls. - properties: - from: - description: Originating region. - type: string - to: - description: |- - Destination region the traffic will fail over to when endpoints in - the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: |- - failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. - This is to support traffic failover across different groups of endpoints. - Two kinds of labels can be specified: - - - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints. - Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified: - - 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. - 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. - 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. - 4. All the other endpoints have priority P(N) i.e. lowest priority. - - - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints. - Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified: - - 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority. - 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority. - 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority. - 4. All the other endpoints have priority P(N) i.e. lowest priority. - - Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. - - It can be any label specified on both client and server workloads. - The following labels which have special semantic meaning are also supported: - - - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. - - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. - - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. - - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. - - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. - - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`. - - The below topology config indicates the following priority levels: - - ```yaml - failoverPriority: - - "topology.istio.io/network" - - "topology.kubernetes.io/region" - - "topology.kubernetes.io/zone" - - "topology.istio.io/subzone" - ``` - - 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. - 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. - 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. - 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. - 5. all the other endpoints have the same lowest priority. - - Suppose a service associated endpoints reside in multi clusters, the below example represents: - 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority. - 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority. - 2. all the other endpoints have P(2) priority. - - ```yaml - failoverPriority: - - "version=v1" - - "topology.istio.io/cluster=clusterA" - ``` - - Optional: only one of distribute, failover or failoverPriority can be set. - And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect. - items: - type: string - type: array - type: object - meshMTLS: - description: "The below configuration parameters can be used - to specify TLSConfig for mesh traffic.\nFor example, a user - could enable min TLS version for ISTIO_MUTUAL traffic and - specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\tmeshMTLS:\n\t - \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t Note: - applicable only for non ISTIO_MUTUAL scenarios\n\t ecdhCurves:\n\t - \ - P-256\n\t - P-512\n\n```\nConfiguration of mTLS - for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\nNote: - Mesh mTLS does not respect ECDH curves." - properties: - cipherSuites: - description: |- - Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. - If not specified, the following cipher suites will be used: - ``` - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-GCM-SHA256 - ``` - items: - type: string - type: array - ecdhCurves: - description: |- - Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. - If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to - [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). - items: - type: string - type: array - minProtocolVersion: - description: |- - Optional: the minimum TLS protocol version. The default minimum - TLS version will be TLS 1.2. As servers may not be Envoy and be - set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the - minimum TLS version for clients may also be TLS 1.2. - In the current Istio implementation, the maximum TLS protocol version - is TLS 1.3. - enum: - - TLS_AUTO - - TLSV1_2 - - TLSV1_3 - type: string - type: object - outboundClusterStatName: - description: |- - Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for - network filters like TCP and Redis. - By default, Istio emits statistics with the pattern `outbound|||`. - For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. - - A Pattern can be composed of various pre-defined variables. The following variables are supported. - - - `%SERVICE%` - Will be substituted with short hostname of the service. - - `%SERVICE_NAME%` - Will be substituted with name of the service. - - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - - `%SERVICE_PORT%` - Will be substituted with port of the service. - - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. - - `%SUBSET_NAME%` - Will be substituted with subset. - - Following are some examples of supported patterns for reviews: - - - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. - - `%SERVICE%` will use reviews.prod as the stats name. - type: string - outboundTrafficPolicy: - description: |- - Set the default behavior of the sidecar for handling outbound - traffic from the application. - - Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the - [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy). - - Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed. - properties: - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - pathNormalization: - description: |- - ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are - normalized by the sidecars and gateways. - The normalized paths will be used in all aspects through the requests' lifetime on the - sidecars and gateways, which includes routing decisions in outbound direction (client proxy), - authorization policy match and enforcement in inbound direction (server proxy), and the URL - path proxied to the upstream service. - If not set, the NormalizationType.DEFAULT configuration will be used. - properties: - normalization: - enum: - - DEFAULT - - NONE - - BASE - - MERGE_SLASHES - - DECODE_AND_MERGE_SLASHES - type: string - type: object - protocolDetectionTimeout: - description: |- - Automatic protocol detection uses a set of heuristics to - determine whether the connection is using TLS or not (on the - server side), as well as the application protocol being used - (e.g., http vs tcp). These heuristics rely on the client sending - the first bits of data. For server first protocols like MySQL, - MongoDB, etc. Envoy will timeout on the protocol detection after - the specified period, defaulting to non mTLS plain TCP - traffic. Set this field to tweak the period that Envoy will wait - for the client to send the first bits of data. (MUST BE >=1ms or - 0s to disable). Default detection timeout is 0s (no timeout). - - Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit - occasionally, and when they occur the result is typically broken traffic that may not - recover on its own. Exceptionally high values might solve this, but injecting 60s delays - onto new connections is generally not tenable anyways. - type: string - proxyHttpPort: - description: Port on which Envoy should listen for HTTP PROXY - requests if set. - format: int32 - type: integer - proxyInboundListenPort: - description: |- - Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. - Default port is 15006. - format: int32 - type: integer - proxyListenPort: - description: |- - Port on which Envoy should listen for all outbound traffic to other services. - Default port is 15001. - format: int32 - type: integer - rootNamespace: - description: |- - The namespace to treat as the administrative root namespace for - Istio configuration. When processing a leaf namespace Istio will search for - declarations in that namespace first and if none are found it will - search in the root namespace. Any matching declaration found in the root - namespace is processed as if it were declared in the leaf namespace. - - The precise semantics of this processing are documented on each resource - type. - type: string - serviceSettings: - description: Settings to be applied to select services. - items: - description: |- - Settings to be applied to select services. - - For example, the following configures all services in namespace "foo" as well as the - "bar" service in namespace "baz" to be considered cluster-local: - - ```yaml - serviceSettings: - - settings: - clusterLocal: true - hosts: - - "*.foo.svc.cluster.local" - - "bar.baz.svc.cluster.local" - - ``` - properties: - hosts: - description: |- - The services to which the Settings should be applied. Services are selected using the hostname - matching rules used by DestinationRule. - - For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local - items: - type: string - type: array - settings: - description: The settings to apply to the selected services. - properties: - clusterLocal: - description: |- - If true, specifies that the client and service endpoints must reside in the same cluster. - By default, in multi-cluster deployments, the Istio control plane assumes all service - endpoints to be reachable from any client in any of the clusters which are part of the - mesh. This configuration option limits the set of service endpoints visible to a client - to be cluster scoped. - - There are some common scenarios when this can be useful: - - - A service (or group of services) is inherently local to the cluster and has local storage - for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). - - A mesh administrator wants to slowly migrate services to Istio. They might start by first - having services cluster-local and then slowly transition them to mesh-wide. They could do - this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group - (e.g. *.myns.svc.cluster.local). - - By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all - services in the kube-system namespace to be cluster-local, unless explicitly overridden here. - type: boolean - type: object - type: object - type: array - tcpKeepalive: - description: If set then set `SO_KEEPALIVE` on the socket - to enable TCP Keepalives. - properties: - interval: - description: |- - The time duration between keep-alive probes. - Default is to use the OS level configuration - (unless overridden, Linux defaults to 75s.) - type: string - probes: - description: |- - Maximum number of keepalive probes to send without response before - deciding the connection is dead. Default is to use the OS level configuration - (unless overridden, Linux defaults to 9.) - format: int32 - type: integer - time: - description: |- - The time duration a connection needs to be idle before keep-alive - probes start being sent. Default is to use the OS level configuration - (unless overridden, Linux defaults to 7200s (ie 2 hours.) - type: string - type: object - tlsDefaults: - description: |- - Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdhCurves and cipherSuites only. - For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. - properties: - cipherSuites: - description: |- - Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. - If not specified, the following cipher suites will be used: - ``` - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-GCM-SHA256 - ``` - items: - type: string - type: array - ecdhCurves: - description: |- - Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. - If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to - [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). - items: - type: string - type: array - minProtocolVersion: - description: |- - Optional: the minimum TLS protocol version. The default minimum - TLS version will be TLS 1.2. As servers may not be Envoy and be - set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the - minimum TLS version for clients may also be TLS 1.2. - In the current Istio implementation, the maximum TLS protocol version - is TLS 1.3. - enum: - - TLS_AUTO - - TLSV1_2 - - TLSV1_3 - type: string - type: object - trustDomain: - description: |- - The trust domain corresponds to the trust root of a system. - Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) - type: string - trustDomainAliases: - description: |- - The trust domain aliases represent the aliases of `trustDomain`. - For example, if we have - ```yaml - trustDomain: td1 - trustDomainAliases: ["td2", "td3"] - ``` - Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, - or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. - items: - type: string - type: array - verifyCertificateAtClient: - description: |- - `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation - at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination - modes are used. This setting can be overridden at the host level via DestinationRule API. - By default, `VerifyCertificateAtClient` is `true`. - - `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset, - and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and - `VerifyCertificateAtClient` is false, proxy will not verify the CA. - - `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset, - and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs. - If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs. - - For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level - wildcard if the specified host in DestinationRule doesn't contain a wildcard. - For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will - match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate. - For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, - if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches - “.x.y.com` suffix. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - type: boolean - type: object - pilot: - description: Configuration for the Pilot component. - properties: - affinity: - description: K8s affinity to set on the Pilot Pods. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, - etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - autoscaleBehavior: - description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior - properties: - scaleDown: - description: |- - scaleDown is scaling policy for scaling Down. - If not set, the default value is to allow to scale down to minReplicas pods, with a - 300 second stabilization window (i.e., the highest recommendation for - the last 300sec is used). - properties: - policies: - description: |- - policies is a list of potential scaling polices which can be used during scaling. - At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy - which must hold true for a specified past interval. - properties: - periodSeconds: - description: |- - periodSeconds specifies the window of time for which the policy should hold true. - PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: type is used to specify the scaling - policy. - type: string - value: - description: |- - value contains the amount of change which is permitted by the policy. - It must be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - x-kubernetes-list-type: atomic - selectPolicy: - description: |- - selectPolicy is used to specify which policy should be used. - If not set, the default value Max is used. - type: string - stabilizationWindowSeconds: - description: |- - stabilizationWindowSeconds is the number of seconds for which past recommendations should be - considered while scaling up or scaling down. - StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). - If not set, use the default values: - - For scale up: 0 (i.e. no stabilization is done). - - For scale down: 300 (i.e. the stabilization window is 300 seconds long). - format: int32 - type: integer - type: object - scaleUp: - description: |- - scaleUp is scaling policy for scaling Up. - If not set, the default value is the higher of: - * increase no more than 4 pods per 60 seconds - * double the number of pods per 60 seconds - No stabilization is used. - properties: - policies: - description: |- - policies is a list of potential scaling polices which can be used during scaling. - At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy - which must hold true for a specified past interval. - properties: - periodSeconds: - description: |- - periodSeconds specifies the window of time for which the policy should hold true. - PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: type is used to specify the scaling - policy. - type: string - value: - description: |- - value contains the amount of change which is permitted by the policy. - It must be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - x-kubernetes-list-type: atomic - selectPolicy: - description: |- - selectPolicy is used to specify which policy should be used. - If not set, the default value Max is used. - type: string - stabilizationWindowSeconds: - description: |- - stabilizationWindowSeconds is the number of seconds for which past recommendations should be - considered while scaling up or scaling down. - StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). - If not set, use the default values: - - For scale up: 0 (i.e. no stabilization is done). - - For scale down: 300 (i.e. the stabilization window is 300 seconds long). - format: int32 - type: integer - type: object - type: object - autoscaleEnabled: - description: Controls whether a HorizontalPodAutoscaler is - installed for Pilot. - type: boolean - autoscaleMax: - description: Maximum number of replicas in the HorizontalPodAutoscaler - for Pilot. - format: int32 - type: integer - autoscaleMin: - description: Minimum number of replicas in the HorizontalPodAutoscaler - for Pilot. - format: int32 - type: integer - cni: - description: Configures whether to use an existing CNI installation - for workloads - properties: - enabled: - description: Controls whether CNI should be used. - type: boolean - provider: - description: |- - Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation - `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition - type: string - type: object - configMap: - description: |- - Configuration settings passed to Pilot as a ConfigMap. - - This controls whether the mesh config map, generated from values.yaml is generated. - If false, pilot wil use default values or user-supplied values, in that order of preference. - type: boolean - cpu: - description: |- - Target CPU utilization used in HorizontalPodAutoscaler. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - targetAverageUtilization: - description: |- - K8s utilization setting for HorizontalPodAutoscaler target. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - format: int32 - type: integer - type: object - deploymentLabels: - additionalProperties: - type: string - description: |- - Labels that are added to Pilot deployment. - - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - enabled: - description: Controls whether Pilot is enabled. - type: boolean - env: - additionalProperties: - type: string - description: "Environment variables passed to the Pilot container.\n\nExamples:\nenv:\n\n\tENV_VAR_1: - value1\n\tENV_VAR_2: value2" - type: object - extraContainerArgs: - description: Additional container arguments for the Pilot - container. - items: - type: string - type: array - hub: - description: Hub to pull the container image from. Image will - be `Hub/Image:Tag-Variant`. - type: string - image: - description: |- - Image name used for Pilot. - - This can be set either to image name if hub is also set, or can be set to the full hub:name string. - - Examples: custom-pilot, docker.io/someuser:custom-pilot - type: string - ipFamilies: - description: |- - Defines which IP family to use for single stack or the order of IP families for dual-stack. - Valid list items are "IPv4", "IPv6". - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - items: - type: string - type: array - ipFamilyPolicy: - description: |- - Controls whether Services are configured to use IPv4, IPv6, or both. Valid options - are PreferDualStack, RequireDualStack, and SingleStack. - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - type: string - istiodRemote: - description: Configuration for the istio-discovery chart when - istiod is running in a remote cluster (e.g. "remote control - plane"). - properties: - enabled: - description: Indicates if this cluster/install should - consume a "remote" istiod instance, - type: boolean - injectionCABundle: - description: injector ca bundle - type: string - injectionPath: - description: Path to use for the sidecar injector webhook - service. - type: string - injectionURL: - description: URL to use for sidecar injector webhook. - type: string - type: object - jwksResolverExtraRootCA: - description: |- - Specifies an extra root certificate in PEM format. This certificate will be trusted - by pilot when resolving JWKS URIs. - type: string - keepaliveMaxServerConnectionAge: - description: |- - Maximum duration that a sidecar can be connected to a pilot. - - This setting balances out load across pilot instances, but adds some resource overhead. - - Examples: 300s, 30m, 1h - type: string - memory: - description: |- - Target memory utilization used in HorizontalPodAutoscaler. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - targetAverageUtilization: - description: |- - K8s utilization setting for HorizontalPodAutoscaler target. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - format: int32 - type: integer - type: object - nodeSelector: - additionalProperties: - type: string - description: |- - K8s node selector. - - See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: object - podAnnotations: - additionalProperties: - type: string - description: |- - K8s annotations for pods. - - See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: object - podLabels: - additionalProperties: - type: string - description: |- - Labels that are added to Pilot pods. - - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - replicaCount: - description: |- - Number of replicas in the Pilot Deployment. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - format: int32 - type: integer - resources: - description: |- - K8s resources settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - rollingMaxSurge: - anyOf: - - type: integer - - type: string - description: |- - K8s rolling update strategy - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - x-kubernetes-int-or-string: true - rollingMaxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The number of pods that can be unavailable during a rolling update (see - `strategy.rollingUpdate.maxUnavailable` here: - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). - May be specified as a number of pods or as a percent of the total number - of pods at the start of the update. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - x-kubernetes-int-or-string: true - seccompProfile: - description: |- - The seccompProfile for the Pilot container. - - See: https://kubernetes.io/docs/tutorials/security/seccomp/ - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - serviceAccountAnnotations: - additionalProperties: - type: string - description: K8s annotations for the service account - type: object - serviceAnnotations: - additionalProperties: - type: string - description: |- - K8s annotations for the Service. - - See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - tag: - description: The container image tag to pull. Image will be - `Hub/Image:Tag-Variant`. - type: string - taint: - properties: - enabled: - description: |- - Enable the untaint controller for new nodes. This aims to solve a race for CNI installation on - new nodes. For this to work, the newly added nodes need to have the istio CNI taint as they are - added to the cluster. This is usually done by configuring the cluster infra provider. - type: boolean - namespace: - description: The namespace of the CNI daemonset, incase - it's not the same as istiod. - type: string - type: object - tolerations: - description: |- - The node tolerations to be applied to the Pilot deployment so that it can be - scheduled to particular nodes with matching taints. - More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: The k8s topologySpreadConstraints for the Pilot - pods. - items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - traceSampling: - description: |- - Trace sampling fraction. - - Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. - - Allowed values: 0.0 to 1.0 - type: number - trustedZtunnelNamespace: - description: |- - If set, `istiod` will allow connections from trusted node proxy ztunnels - in the provided namespace. - type: string - variant: - description: The container image variant to pull. Options - are "debug" or "distroless". Unset will use the default - for the given version. - type: string - volumeMounts: - description: Additional volumeMounts to add to the Pilot container. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: Additional volumes to add to the Pilot Pod. - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: azureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure - managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: azureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: cephFS represents a Ceph FS mount on the - host that shares a pod's lifetime - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field - properties: - fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name, - namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - properties: - driver: - description: driver is the name of the driver to - use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/glusterfs/README.md - properties: - endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: portworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: quobyte represents a Quobyte mount on the - host that shares a pod's lifetime - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/rbd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: storageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: vsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - profile: - description: Specifies which installation configuration profile - to apply. - type: string - revision: - description: Identifies the revision this installation is associated - with. - type: string - revisionTags: - description: |- - Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration - is created for each alias. - items: - type: string - type: array - sidecarInjectorWebhook: - description: Configuration for the sidecar injector webhook. - properties: - alwaysInjectSelector: - description: See NeverInjectSelector. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - defaultTemplates: - description: 'defaultTemplates: ["sidecar", "hello"]' - items: - type: string - type: array - enableNamespacesByDefault: - description: Enables sidecar auto-injection in namespaces - by default. - type: boolean - injectedAnnotations: - additionalProperties: - type: string - description: |- - injectedAnnotations are additional annotations that will be added to the pod spec after injection - This is primarily to support PSP annotations. - type: object - injectionURL: - description: Configure the injection url for sidecar injector - webhook - type: string - neverInjectSelector: - description: |- - Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods. - - Annotations in the pods have higher precedence than the label selectors. - Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy. - See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - reinvocationPolicy: - description: 'Setting this to `IfNeeded` will result in the - sidecar injector being run again if additional mutations - occur. Default: Never' - type: string - rewriteAppHTTPProbe: - description: If true, webhook or istioctl injector will rewrite - PodSpec for liveness health check to redirect request to - sidecar. This makes liveness check work even when mTLS is - enabled. - type: boolean - templates: - additionalProperties: - type: string - description: "Templates defines a set of custom injection - templates that can be used. For example, defining:\n\ntemplates:\n\n\thello: - |\n\t metadata:\n\t labels:\n\t hello: world\n\nThen - starting a pod with the `inject.istio.io/templates: hello` - annotation, will result in the pod\nbeing injected with - the hello=world labels.\nThis is intended for advanced configuration - only; most users should use the built in template" - type: object - type: object - telemetry: - description: Controls whether telemetry is exported for Pilot. - properties: - enabled: - description: Controls whether telemetry is exported for Pilot. - type: boolean - v2: - description: Configuration for Telemetry v2. - properties: - enabled: - description: Controls whether pilot will configure telemetry - v2. - type: boolean - prometheus: - description: Telemetry v2 settings for prometheus. - properties: - enabled: - description: Controls whether stats envoyfilter would - be enabled or not. - type: boolean - type: object - stackdriver: - description: Telemetry v2 settings for stackdriver. - properties: - enabled: - type: boolean - type: object - type: object - type: object - type: object - version: - default: v1.23.2 - description: |- - Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. - enum: - - v1.23.2 - - v1.22.5 - - v1.21.6 - - latest - type: string - required: - - namespace - - version - type: object - x-kubernetes-validations: - - message: spec.values.global.istioNamespace must match spec.namespace - rule: '!has(self.values) || !has(self.values.global) || !has(self.values.global.istioNamespace) - || self.values.global.istioNamespace == self.__namespace__' - status: - description: RemoteIstioStatus defines the observed state of RemoteIstio - properties: - activeRevisionName: - description: The name of the active revision. - type: string - conditions: - description: Represents the latest available observations of the object's - current state. - items: - description: RemoteIstioCondition represents a specific observation - of the RemoteIstioCondition object's state. - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - the last transition. - type: string - reason: - description: Unique, single-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: The status of this condition. Can be True, False - or Unknown. - type: string - type: - description: The type of this condition. - type: string - type: object - type: array - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this - RemoteIstio object. It corresponds to the object's generation, which is - updated on mutation by the API Server. The information in the status - pertains to this particular generation of the object. - format: int64 - type: integer - revisions: - description: Reports information about the underlying IstioRevisions. - properties: - inUse: - description: Number of IstioRevisions that are currently in use. - format: int32 - type: integer - ready: - description: Number of IstioRevisions that are Ready. - format: int32 - type: integer - total: - description: Total number of IstioRevisions currently associated - with this Istio. - format: int32 - type: integer - required: - - inUse - - ready - - total - type: object - state: - description: Reports the current state of the object. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index c7de57ddd..0cd39dcad 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -70,7 +70,7 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. enum: - ambient - default @@ -80,6 +80,7 @@ spec: - openshift-ambient - openshift - preview + - remote - stable type: string values: diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index ec6836947..5708dbe4d 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -78,14 +78,6 @@ spec: x-kubernetes-validations: - message: Value is immutable rule: self == oldSelf - type: - default: Local - description: Type indicates whether this revision represents a local - or a remote control plane installation. - type: string - x-kubernetes-validations: - - message: Value is immutable - rule: self == oldSelf values: description: Defines the values to be passed to the Helm charts when installing Istio. @@ -9389,7 +9381,6 @@ spec: type: string required: - namespace - - type - version type: object x-kubernetes-validations: diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index 9054d6d29..51b234a6d 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -95,7 +95,7 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. enum: - ambient - default @@ -105,6 +105,7 @@ spec: - openshift-ambient - openshift - preview + - remote - stable type: string updateStrategy: diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml deleted file mode 100644 index ed5e65a39..000000000 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ /dev/null @@ -1,9522 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.4 - name: remoteistios.sailoperator.io -spec: - group: sailoperator.io - names: - categories: - - istio-io - kind: RemoteIstio - listKind: RemoteIstioList - plural: remoteistios - singular: remoteistio - scope: Cluster - versions: - - additionalPrinterColumns: - - description: Total number of IstioRevision objects currently associated with - this object. - jsonPath: .status.revisions.total - name: Revisions - type: string - - description: Number of revisions that are ready. - jsonPath: .status.revisions.ready - name: Ready - type: string - - description: Number of revisions that are currently being used by workloads. - jsonPath: .status.revisions.inUse - name: In use - type: string - - description: The name of the currently active revision. - jsonPath: .status.activeRevisionName - name: Active Revision - type: string - - description: The current state of the active revision. - jsonPath: .status.state - name: Status - type: string - - description: The version of the control plane installation. - jsonPath: .spec.version - name: Version - type: string - - description: The age of the object - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - RemoteIstio represents a remote Istio Service Mesh deployment consisting of one or more - remote control plane instances (represented by one or more IstioRevision objects). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - default: - namespace: istio-system - updateStrategy: - type: InPlace - version: v1.23.2 - description: RemoteIstioSpec defines the desired state of RemoteIstio - properties: - namespace: - default: istio-system - description: Namespace to which the Istio components should be installed. - type: string - profile: - description: |- - The built-in installation configuration profile to use. - The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. - enum: - - ambient - - default - - demo - - empty - - external - - openshift-ambient - - openshift - - preview - - stable - type: string - updateStrategy: - default: - type: InPlace - description: Defines the update strategy to use when the version in - the RemoteIstio CR is updated. - properties: - inactiveRevisionDeletionGracePeriodSeconds: - description: |- - Defines how many seconds the operator should wait before removing a non-active revision after all - the workloads have stopped using it. You may want to set this value on the order of minutes. - The minimum is 0 and the default value is 30. - format: int64 - minimum: 0 - type: integer - type: - default: InPlace - description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\". - When the \"InPlace\" strategy\nis used, the existing Istio control - plane is updated in-place. The workloads therefore\ndon't need - to be moved from one control plane instance to another. When - the \"RevisionBased\"\nstrategy is used, a new Istio control - plane instance is created for every change to the\nIstio.spec.version - field. The old control plane remains in place until all workloads - have\nbeen moved to the new control plane instance.\n\nThe \"InPlace\" - strategy is the default.\tTODO: change default to \"RevisionBased\"" - enum: - - InPlace - - RevisionBased - type: string - updateWorkloads: - description: |- - Defines whether the workloads should be moved from one control plane instance to another - automatically. If updateWorkloads is true, the operator moves the workloads from the old - control plane instance to the new one after the new control plane is ready. - If updateWorkloads is false, the user must move the workloads manually by updating the - istio.io/rev labels on the namespace and/or the pods. - Defaults to false. - type: boolean - type: object - values: - description: Defines the values to be passed to the Helm charts when - installing Istio. - properties: - base: - description: Configuration for the base component. - properties: - excludedCRDs: - description: CRDs to exclude. Requires `enableCRDTemplates` - items: - type: string - type: array - validationCABundle: - description: validation webhook CA bundle - type: string - validationURL: - description: URL to use for validating webhook. - type: string - type: object - compatibilityVersion: - description: |- - Specifies the compatibility version to use. When this is set, the control plane will - be configured with the same defaults as the specified version. - type: string - defaultRevision: - description: The name of the default revision in the cluster. - type: string - experimental: - description: Specifies experimental helm fields that could be - removed or changed in the future - x-kubernetes-preserve-unknown-fields: true - global: - description: Global configuration for Istio components. - properties: - arch: - description: "Specifies pod scheduling arch(amd64, ppc64le, - s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1 - - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: - replaced by the affinity k8s settings which allows architecture - nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/values_types.proto." - properties: - amd64: - description: Sets pod scheduling weight for amd64 arch - format: int32 - type: integer - arm64: - description: Sets pod scheduling weight for arm64 arch. - format: int32 - type: integer - ppc64le: - description: Sets pod scheduling weight for ppc64le arch. - format: int32 - type: integer - s390x: - description: Sets pod scheduling weight for s390x arch. - format: int32 - type: integer - type: object - caAddress: - description: The address of the CA for CSR. - type: string - caName: - description: |- - The name of the CA for workloads. - For example, when caName=GkeWorkloadCertificate, GKE workload certificates - will be used as the certificates for workloads. - The default value is "" and when caName="", the CA will be configured by other - mechanisms (e.g., environmental variable CA_PROVIDER). - type: string - certSigners: - description: List of certSigners to allow "approve" action - in the ClusterRole - items: - type: string - type: array - configCluster: - description: Controls whether a remote cluster is the config - cluster for an external istiod - type: boolean - configValidation: - description: Controls whether the server-side validation is - enabled. - type: boolean - defaultNodeSelector: - additionalProperties: - type: string - description: |- - Default k8s node selector for all the Istio control plane components - - See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: object - defaultPodDisruptionBudget: - description: Specifies the default pod disruption budget configuration. - properties: - enabled: - description: Controls whether a PodDisruptionBudget with - a default minAvailable value of 1 is created for each - deployment. - type: boolean - type: object - defaultResources: - description: |- - Default k8s resources settings for all Istio control plane components. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - defaultTolerations: - description: |- - Default node tolerations to be applied to all deployments so that all pods can be - scheduled to nodes with matching taints. Each component can overwrite - these default values by adding its tolerations block in the relevant section below - and setting the desired values. - Configure this field in case that all pods of Istio control plane are expected to - be scheduled to particular nodes with specified taints. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - externalIstiod: - description: Controls whether one external istiod is enabled. - type: boolean - hub: - description: Specifies the docker hub for Istio images. - type: string - imagePullPolicy: - description: |- - Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. - - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images - enum: - - Always - - Never - - IfNotPresent - type: string - imagePullSecrets: - description: |- - ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace - to use for pulling any images in pods that reference this ServiceAccount. - Must be set for any cluster configured with private docker registry. - items: - type: string - type: array - ipFamilies: - description: |- - Defines which IP family to use for single stack or the order of IP families for dual-stack. - Valid list items are "IPv4", "IPv6". - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - items: - type: string - type: array - ipFamilyPolicy: - description: |- - Controls whether Services are configured to use IPv4, IPv6, or both. Valid options - are PreferDualStack, RequireDualStack, and SingleStack. - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - type: string - istioNamespace: - description: Specifies the default namespace for the Istio - control plane components. - type: string - istiod: - description: Specifies the configution of istiod - properties: - enableAnalysis: - description: If enabled, istiod will perform config analysis - type: boolean - type: object - jwtPolicy: - description: |- - Configure the policy for validating JWT. - This is deprecated and has no effect. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: string - logAsJson: - description: Specifies whether istio components should output - logs in json format by adding --log_as_json argument to - each container. - type: boolean - logging: - description: Specifies the global logging level settings for - the Istio control plane components. - properties: - level: - description: |- - Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - The control plane has different scopes depending on component, but can configure default log level across all components - If empty, default scope and level will be used as configured in code - type: string - type: object - meshID: - description: |- - The Mesh Identifier. It should be unique within the scope where - meshes will interact with each other, but it is not required to be - globally/universally unique. For example, if any of the following are true, - then two meshes must have different Mesh IDs: - - Meshes will have their telemetry aggregated in one place - - Meshes will be federated together - - Policy will be written referencing one mesh from the other - - If an administrator expects that any of these conditions may become true in - the future, they should ensure their meshes have different Mesh IDs - assigned. - - Within a multicluster mesh, each cluster must be (manually or auto) - configured to have the same Mesh ID value. If an existing cluster 'joins' a - multicluster mesh, it will need to be migrated to the new mesh ID. Details - of migration TBD, and it may be a disruptive operation to change the Mesh - ID post-install. - - If the mesh admin does not specify a value, Istio will use the value of the - mesh's Trust Domain. The best practice is to select a proper Trust Domain - value. - type: string - meshNetworks: - additionalProperties: - description: |- - Network provides information about the endpoints in a routable L3 - network. A single routable L3 network can have one or more service - registries. Note that the network has no relation to the locality of the - endpoint. The endpoint locality will be obtained from the service - registry. - properties: - endpoints: - description: |- - The list of endpoints in the network (obtained through the - constituent service registries or from CIDR ranges). All endpoints in - the network are directly accessible to one another. - items: - description: "NetworkEndpoints describes how the network - associated with an endpoint\nshould be inferred. - An endpoint will be assigned to a network based - on\nthe following rules:\n\n1. Implicitly: If the - registry explicitly provides information about\nthe - network to which the endpoint belongs to. In some - cases, its\npossible to indicate the network associated - with the endpoint by\nadding the `ISTIO_META_NETWORK` - environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. - By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"fromRegistry\" can only be - assigned to a\n\tsingle network.\n\n\tb. By matching - the IP against one of the CIDR ranges in a mesh\n\tconfig - network. The CIDR ranges must not overlap and be - assigned to\n\ta single network.\n\n(2) will override - (1) if both are present." - properties: - fromCidr: - description: |- - A CIDR range for the set of endpoints in this network. The CIDR - ranges for endpoints from different networks must not overlap. - type: string - fromRegistry: - description: |- - Add all endpoints from the specified registry into this network. - The names of the registries should correspond to the kubeconfig file name - inside the secret that was used to configure the registry (Kubernetes - multicluster) or supplied by MCP server. - type: string - type: object - x-kubernetes-validations: - - message: At most one of [fromCidr fromRegistry] - should be set - rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0) - <= 1 - type: array - gateways: - description: Set of gateways associated with the network. - items: - description: |- - The gateway associated with this network. Traffic from remote networks - will arrive at the specified gateway:port. All incoming traffic must - use mTLS. - properties: - address: - description: IP address or externally resolvable - DNS address associated with the gateway. - type: string - locality: - description: The locality associated with an explicitly - specified gateway (i.e. ip) - type: string - port: - format: int32 - type: integer - registryServiceName: - description: |- - A fully qualified domain name of the gateway service. Pilot will - lookup the service from the service registries in the network and - obtain the endpoint IPs of the gateway from the service - registry. Note that while the service name is a fully qualified - domain name, it need not be resolvable outside the orchestration - platform for the registry. e.g., this could be - istio-ingressgateway.istio-system.svc.cluster.local. - type: string - type: object - x-kubernetes-validations: - - message: At most one of [registryServiceName address] - should be set - rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0) - <= 1 - type: array - type: object - description: "Configure the mesh networks to be used by the - Split Horizon EDS.\n\nThe following example defines two - networks with different endpoints association methods.\nFor - `network1` all endpoints that their IP belongs to the provided - CIDR range will be\nmapped to network1. The gateway for - this network example is specified by its public IP\naddress - and port.\nThe second network, `network2`, in this example - is defined differently with all endpoints\nretrieved through - the specified Multi-Cluster registry being mapped to network2. - The\ngateway is also defined differently with the name of - the gateway service on the remote\ncluster. The public IP - for the gateway will be determined from that remote service - (only\nLoadBalancer gateway service type is currently supported, - for a NodePort type gateway service,\nit still need to be - configured manually).\n\nmeshNetworks:\n\n\tnetwork1:\n\t - \ endpoints:\n\t - fromCidr: \"192.168.0.1/24\"\n\t gateways:\n\t - \ - address: 1.1.1.1\n\t port: 80\n\tnetwork2:\n\t endpoints:\n\t - \ - fromRegistry: reg1\n\t gateways:\n\t - registryServiceName: - istio-ingressgateway.istio-system.svc.cluster.local\n\t - \ port: 443" - type: object - mountMtlsCerts: - description: Controls whether the in-cluster MTLS key and - certs are loaded from the secret volume mounts. - type: boolean - multiCluster: - description: Specifies the Configuration for Istio mesh across - multiple clusters through Istio gateways. - properties: - clusterName: - description: |- - The name of the cluster this installation will run in. This is required for sidecar injection - to properly label proxies - type: string - enabled: - description: |- - Enables the connection between two kubernetes clusters via their respective ingressgateway services. - Use if the pods in each cluster cannot directly talk to one another. - type: boolean - globalDomainSuffix: - description: The suffix for global service names. - type: string - includeEnvoyFilter: - description: Enable envoy filter to translate `globalDomainSuffix` - to cluster local suffix for cross cluster communication. - type: boolean - type: object - network: - description: |- - Network defines the network this cluster belong to. This name - corresponds to the networks in the map of mesh networks. - type: string - omitSidecarInjectorConfigMap: - description: |- - Controls whether the creation of the sidecar injector ConfigMap should be skipped. - Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. - type: boolean - operatorManageWebhooks: - description: |- - Controls whether the WebhookConfiguration resource(s) should be created. The current behavior - of Istiod is to manage its own webhook configurations. - When this option is set to true, Istio Operator, instead of webhooks, manages the - webhook configurations. When this option is set as false, webhooks manage their - own webhook configurations. - type: boolean - pilotCertProvider: - description: |- - Configure the Pilot certificate provider. - Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". - type: string - platform: - description: |- - Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" - An empty value means it is a vanilla Kubernetes distribution, therefore no special - treatment will be considered. - type: string - podDNSSearchNamespaces: - description: |- - Custom DNS config for the pod to resolve names of services in other - clusters. Use this to add additional search domains, and other settings. - see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - This does not apply to gateway pods as they typically need a different - set of DNS settings than the normal application pods (e.g. in multicluster scenarios). - items: - type: string - type: array - priorityClassName: - description: |- - Specifies the k8s priorityClassName for the istio control plane components. - - See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: string - proxy: - description: Specifies how proxies are configured within Istio. - properties: - autoInject: - description: Controls the 'policy' in the sidecar injector. - type: string - clusterDomain: - description: |- - Domain for the cluster, default: "cluster.local". - - K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ - type: string - componentLogLevel: - description: |- - Per Component log level for proxy, applies to gateways and sidecars. - - If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. - type: string - enableCoreDump: - description: |- - Enables core dumps for newly injected sidecars. - - If set, newly injected sidecars will have core dumps enabled. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: boolean - excludeIPRanges: - description: Lists the excluded IP ranges of Istio egress - traffic that the sidecar captures. - type: string - excludeInboundPorts: - description: Specifies the Istio ingress ports not to - capture. - type: string - excludeOutboundPorts: - description: A comma separated list of outbound ports - to be excluded from redirection to Envoy. - type: string - holdApplicationUntilProxyStarts: - description: |- - Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready - - Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: boolean - image: - description: |- - Image name or path for the proxy, default: "proxyv2". - - If registry or tag are not specified, global.hub and global.tag are used. - - Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 - type: string - includeIPRanges: - description: |- - Lists the IP ranges of Istio egress traffic that the sidecar captures. - - Example: "172.30.0.0/16,172.20.0.0/16" - This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar." - type: string - includeInboundPorts: - description: |- - A comma separated list of inbound ports for which traffic is to be redirected to Envoy. - The wildcard character '*' can be used to configure redirection for all ports. - type: string - includeOutboundPorts: - description: A comma separated list of outbound ports - for which traffic is to be redirected to Envoy, regardless - of the destination IP. - type: string - lifecycle: - description: |- - The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - postStart: - description: |- - PostStart is called immediately after a container is created. If the handler fails, - the container is terminated and restarted according to its restart policy. - Other management of the container blocks until the hook completes. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents the duration that - the container should sleep before being terminated. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for the backward compatibility. There are no validation of this field and - lifecycle hooks will fail in runtime when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - preStop: - description: |- - PreStop is called immediately before a container is terminated due to an - API request or management event such as liveness/startup probe failure, - preemption, resource contention, etc. The handler is not called if the - container crashes or exits. The Pod's termination grace period countdown begins before the - PreStop hook is executed. Regardless of the outcome of the handler, the - container will eventually terminate within the Pod's termination grace - period (unless delayed by finalizers). Other management of the container blocks until the hook completes - or until the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - httpGet: - description: HTTPGet specifies the http request - to perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom - header to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - sleep: - description: Sleep represents the duration that - the container should sleep before being terminated. - properties: - seconds: - description: Seconds is the number of seconds - to sleep. - format: int64 - type: integer - required: - - seconds - type: object - tcpSocket: - description: |- - Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept - for the backward compatibility. There are no validation of this field and - lifecycle hooks will fail in runtime when tcp handler is specified. - properties: - host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - type: object - type: object - logLevel: - description: 'Log level for proxy, applies to gateways - and sidecars. If left empty, "warning" is used. Expected - values are: trace\|debug\|info\|warning\|error\|critical\|off' - type: string - outlierLogPath: - description: |- - Path to the file to which the proxy will write outlier detection logs. - - Example: "/dev/stdout" - This would write the logs to standard output. - type: string - privileged: - description: |- - Enables privileged securityContext for the istio-proxy container. - - See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - type: boolean - readinessFailureThreshold: - description: Sets the number of successive failed probes - before indicating readiness failure. - format: int32 - type: integer - readinessInitialDelaySeconds: - description: Sets the initial delay for readiness probes - in seconds. - format: int32 - type: integer - readinessPeriodSeconds: - description: Sets the interval between readiness probes - in seconds. - format: int32 - type: integer - resources: - description: |- - K8s resources settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - startupProbe: - description: Configures the startup probe for the istio-proxy - container. - properties: - enabled: - description: |- - Enables or disables a startup probe. - For optimal startup times, changing this should be tied to the readiness probe values. - - If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - and doesn't spam the readiness endpoint too much - - If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - type: boolean - failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - format: int32 - type: integer - type: object - statusPort: - description: Default port used for the Pilot agent's health - checks. - format: int32 - type: integer - tracer: - description: |- - Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - enum: - - zipkin - - lightstep - - datadog - - stackdriver - - openCensusAgent - - none - type: string - type: object - proxy_init: - description: Specifies the Configuration for proxy_init container - which sets the pods' networking to intercept the inbound/outbound - traffic. - properties: - image: - description: Specifies the image for the proxy_init container. - type: string - resources: - description: |- - K8s resources settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - type: object - remotePilotAddress: - description: Specifies the Istio control plane’s pilot Pod - IP address or remote cluster DNS resolvable hostname. - type: string - revision: - description: Configures the revision this control plane is - a part of - type: string - sds: - description: Specifies the Configuration for the SecretDiscoveryService - instead of using K8S secrets to mount the certificates. - properties: - token: - description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' - properties: - aud: - type: string - type: object - type: object - sts: - description: Specifies the configuration for Security Token - Service. - properties: - servicePort: - format: int32 - type: integer - type: object - tag: - description: Specifies the tag for the Istio docker images. - type: string - tracer: - description: Specifies the Configuration for each of the supported - tracers. - properties: - datadog: - description: Configuration for the datadog tracing service. - properties: - address: - description: Address in host:port format for reporting - trace data to the Datadog agent. - type: string - type: object - lightstep: - description: Configuration for the lightstep tracing service. - properties: - accessToken: - description: Sets the lightstep access token. - type: string - address: - description: Sets the lightstep satellite pool address - in host:port format for reporting trace data. - type: string - type: object - stackdriver: - description: Configuration for the stackdriver tracing - service. - properties: - debug: - description: enables trace output to stdout. - type: boolean - maxNumberOfAnnotations: - description: The global default max number of annotation - events per span. - format: int32 - type: integer - maxNumberOfAttributes: - description: The global default max number of attributes - per span. - format: int32 - type: integer - maxNumberOfMessageEvents: - description: The global default max number of message - events per span. - format: int32 - type: integer - type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. - - Example: .:941 - type: string - type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: - affinity: - description: |- - K8s affinity settings for waypoint pods. - - See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - properties: - nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector - requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in - the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector - requirements by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector - requirements by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that - the selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules - (e.g. co-locate this pod in the same node, zone, - etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched - WeightedPodAffinityTerm fields are added per-node - to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling - rules (e.g. avoid putting this pod in the same node, - zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched - WeightedPodAffinityTerm fields are added per-node - to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is - a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - nodeSelector: - description: |- - K8s node labels settings. - - See https://kubernetes.io/docs/user-guide/node-selection/ - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. - The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the selector - applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - resources: - description: |- - K8s resource settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry - in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - toleration: - description: |- - K8s tolerations settings. - - See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: |- - K8s topology spread constraints settings. - - See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - items: - description: TopologySpreadConstraint specifies how - to spread matching pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - type: object - type: object - istiodRemote: - description: |- - Configuration for istiod-remote. - DEPRECATED - istiod-remote chart is removed and replaced with - `istio-discovery --set values.istiodRemote.enabled=true` - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - enabled: - description: Indicates if this cluster/install should consume - a "remote" istiod instance, - type: boolean - injectionCABundle: - description: injector ca bundle - type: string - injectionPath: - description: Path to use for the sidecar injector webhook - service. - type: string - injectionURL: - description: URL to use for sidecar injector webhook. - type: string - type: object - meshConfig: - description: |- - Defines runtime configuration of components, including Istiod and istio-agent behavior. - See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. - properties: - accessLogEncoding: - description: |- - Encoding for the proxy access log (`TEXT` or `JSON`). - Default value is `TEXT`. - enum: - - TEXT - - JSON - type: string - accessLogFile: - description: |- - File address for the proxy access log (e.g. /dev/stdout). - Empty value disables access logging. - type: string - accessLogFormat: - description: |- - Format for the proxy access log - Empty value results in proxy's default access log format - type: string - ca: - description: |- - If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA - using the Istio CA gRPC API. - properties: - address: - description: |- - REQUIRED. Address of the CA server implementing the Istio CA gRPC API. - Can be IP address or a fully qualified DNS name with port - Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 - type: string - istiodSide: - description: |- - Use istiodSide to specify CA Server integrate to Istiod side or Agent side - Default: true - type: boolean - requestTimeout: - description: |- - timeout for forward CSR requests from Istiod to External CA - Default: 10s - type: string - tlsSettings: - description: |- - Use the tlsSettings to specify the tls mode to use. - Regarding tlsSettings: - - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. - DISABLE MODE can also be used for testing - - TLS MUTUAL MODE be on by default. If the CA certificates - (cert bundle to verify the CA server's certificate) is omitted, Istiod will - use the system root certs to verify the CA server's certificate. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - required: - - address - type: object - caCertificates: - description: |- - The extra root certificates for workload-to-workload communication. - The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) - are automatically added by Istiod. - The CA certificate that signs the workload certificates is automatically added by Istio Agent. - items: - properties: - certSigners: - description: |- - when Istiod is acting as RA(registration authority) - If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. - items: - type: string - type: array - pem: - description: The PEM data of the certificate. - type: string - spiffeBundleUrl: - description: |- - The SPIFFE bundle endpoint URL that complies to: - https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle - The endpoint should support authentication based on Web PKI: - https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki - The certificate is retrieved from the endpoint. - type: string - trustDomains: - description: |- - Optional. Specify the list of trust domains to which this trustAnchor data belongs. - If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain - and its aliases. - Note that we can have multiple trustAnchor data for a same trustDomain. - In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. - If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. - If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. - If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. - items: - type: string - type: array - type: object - x-kubernetes-validations: - - message: At most one of [pem spiffeBundleUrl] should be - set - rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0) - <= 1 - type: array - certificates: - description: |- - Configure the provision of certificates. - - Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - items: - description: "Certificate configures the provision of a - certificate and its key.\nExample 1: key and cert stored - in a secret\n```\n{ secretName: galley-cert\n\n\t secretNamespace: - istio-system\n\t dnsNames:\n\t - galley.istio-system.svc\n\t - \ - galley.mydomain.com\n\t}\n\n```\nExample 2: key - and cert stored in a directory\n```\n{ dnsNames:\n - - pilot.istio-system\n - pilot.istio-system.svc\n - pilot.mydomain.com\n - \ }\n\n```" - properties: - dnsNames: - description: |- - The DNS names for the certificate. A certificate may contain - multiple DNS names. - items: - type: string - type: array - secretName: - description: |- - Name of the secret the certificate and its key will be stored into. - If it is empty, it will not be stored into a secret. - Instead, the certificate and its key will be stored into a hard-coded directory. - type: string - type: object - type: array - configSources: - description: |- - ConfigSource describes a source of configuration data for networking - rules, and other Istio configuration artifacts. Multiple data sources - can be configured for a single control plane. - items: - description: |- - ConfigSource describes information about a configuration store inside a - mesh. A single control plane instance can interact with one or more data - sources. - properties: - address: - description: |- - Address of the server implementing the Istio Mesh Configuration - protocol (MCP). Can be IP address or a fully qualified DNS name. - Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or - fs:/// to specify a file-based backend with absolute path to the directory. - type: string - subscribedResources: - description: Describes the source of configuration, - if nothing is specified default is MCP - items: - description: Resource describes the source of configuration - enum: - - SERVICE_REGISTRY - type: string - type: array - tlsSettings: - description: |- - Use the tlsSettings to specify the tls mode to use. If the MCP server - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - type: object - type: array - connectTimeout: - description: |- - Connection timeout used by Envoy. (MUST BE >=1ms) - Default timeout is 10s. - type: string - defaultConfig: - description: |- - Default proxy config used by gateway and sidecars. - In case of Kubernetes, the proxy config is applied once during the injection process, - and remain constant for the duration of the pod. The rest of the mesh config can be changed - at runtime and config gets distributed dynamically. - On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation. - properties: - availabilityZone: - description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' - type: string - binaryPath: - description: Path to the proxy binary - type: string - caCertificatesPem: - description: |- - The PEM data of the extra root certificates for workload-to-workload communication. - This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. - The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) - are added automatically by Istiod. - items: - type: string - type: array - concurrency: - description: |- - The number of worker threads to run. - If unset, which is recommended, this will be automatically determined based on CPU requests/limits. - If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance - issues if CPU limits are also set. - format: int32 - type: integer - configPath: - description: |- - Path to the generated configuration file directory. - Proxy agent generates the actual configuration and stores it in this directory. - type: string - controlPlaneAuthPolicy: - description: |- - AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. - Default is set to `MUTUAL_TLS`. - enum: - - NONE - - MUTUAL_TLS - - INHERIT - type: string - customConfigFile: - description: |- - File path of custom proxy configuration, currently used by proxies - in front of Mixer and Pilot. - type: string - discoveryAddress: - description: |- - Address of the discovery service exposing xDS with mTLS connection. - The inject configuration may override this value. - type: string - discoveryRefreshDelay: - description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' - type: string - drainDuration: - description: |- - restart. MUST be >=1s (e.g., _1s/1m/1h_) - Default drain duration is `45s`. - type: string - envoyAccessLogService: - description: |- - Address of the service to which access logs from Envoys should be - sent. (e.g. `accesslog-service:15000`). See [Access Log - Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto) - for details about Envoy's gRPC Access Log Service API. - properties: - address: - description: |- - Address of a remove service used for various purposes (access log - receiver, metrics receiver, etc.). Can be IP address or a fully - qualified DNS name. - type: string - tcpKeepalive: - description: If set then set `SO_KEEPALIVE` on the - socket to enable TCP Keepalives. - properties: - interval: - description: |- - The time duration between keep-alive probes. - Default is to use the OS level configuration - (unless overridden, Linux defaults to 75s.) - type: string - probes: - description: |- - Maximum number of keepalive probes to send without response before - deciding the connection is dead. Default is to use the OS level configuration - (unless overridden, Linux defaults to 9.) - format: int32 - type: integer - time: - description: |- - The time duration a connection needs to be idle before keep-alive - probes start being sent. Default is to use the OS level configuration - (unless overridden, Linux defaults to 7200s (ie 2 hours.) - type: string - type: object - tlsSettings: - description: |- - Use the `tlsSettings` to specify the tls mode to use. If the remote service - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - type: object - envoyMetricsService: - description: |- - Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`). - See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) - for details about Envoy's Metrics Service API. - properties: - address: - description: |- - Address of a remove service used for various purposes (access log - receiver, metrics receiver, etc.). Can be IP address or a fully - qualified DNS name. - type: string - tcpKeepalive: - description: If set then set `SO_KEEPALIVE` on the - socket to enable TCP Keepalives. - properties: - interval: - description: |- - The time duration between keep-alive probes. - Default is to use the OS level configuration - (unless overridden, Linux defaults to 75s.) - type: string - probes: - description: |- - Maximum number of keepalive probes to send without response before - deciding the connection is dead. Default is to use the OS level configuration - (unless overridden, Linux defaults to 9.) - format: int32 - type: integer - time: - description: |- - The time duration a connection needs to be idle before keep-alive - probes start being sent. Default is to use the OS level configuration - (unless overridden, Linux defaults to 7200s (ie 2 hours.) - type: string - type: object - tlsSettings: - description: |- - Use the `tlsSettings` to specify the tls mode to use. If the remote service - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - type: object - envoyMetricsServiceAddress: - description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' - type: string - extraStatTags: - description: |- - An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be - added by configuring the telemetry extension. Each additional tag needs to be present in this list. - Extra tags emitted by the telemetry extensions must be listed here so that they can be processed - and exposed as Prometheus metrics. - Deprecated: `istio.stats` is a native filter now, this field is no longer needed. - items: - type: string - type: array - gatewayTopology: - description: |- - Topology encapsulates the configuration which describes where the proxy is - located i.e. behind a (or N) trusted proxy (proxies) or directly exposed - to the internet. This configuration only effects gateways and is applied - to all the gateways in the cluster unless overridden via annotations of the - gateway workloads. - properties: - forwardClientCertDetails: - description: |- - Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) - header in the incoming request. - enum: - - UNDEFINED - - SANITIZE - - FORWARD_ONLY - - APPEND_FORWARD - - SANITIZE_SET - - ALWAYS_FORWARD_ONLY - type: string - numTrustedProxies: - description: |- - Number of trusted proxies deployed in front of the Istio gateway proxy. - When this option is set to value N greater than zero, the trusted client - address is assumed to be the Nth address from the right end of the - X-Forwarded-For (XFF) header from the incoming request. If the - X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the - gateway proxy falls back to using the immediate downstream connection's - source address as the trusted client address. - Note that the gateway proxy will append the downstream connection's source - address to the X-Forwarded-For (XFF) address and set the - X-Envoy-External-Address header to the trusted client address before - forwarding it to the upstream services in the cluster. - The default value of numTrustedProxies is 0. - See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) - header handling for more details. - format: int32 - type: integer - proxyProtocol: - description: |- - Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for - downstream connections on a gateway. - type: object - type: object - holdApplicationUntilProxyStarts: - description: |- - Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. - This feature adds hooks to delay application startup until the pod proxy - is ready to accept traffic, mitigating some startup race conditions. - Default value is 'false'. - type: boolean - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: |- - The image type of the image. - Istio publishes default, debug, and distroless images. - Other values are allowed if those image types (example: centos) are published to the specified hub. - supported values: default, debug, distroless. - type: string - type: object - interceptionMode: - description: The mode used to redirect inbound traffic - to Envoy. - enum: - - REDIRECT - - TPROXY - - NONE - type: string - meshId: - description: |- - The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) - All control planes running in the same service mesh should specify the same mesh ID. - Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. - type: string - privateKeyProvider: - description: Specifies the details of the Private Key - Provider configuration for gateway and sidecar proxies. - properties: - cryptomb: - description: Use CryptoMb private key provider - properties: - fallback: - description: |- - If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) - Envoy will fallback to the BoringSSL default implementation when the fallback is true. - The default value is false. - type: boolean - pollDelay: - description: |- - How long to wait until the per-thread processing queue should be processed. If the processing queue - gets full (eight sign or decrypt requests are received) it is processed immediately. - However, if the queue is not filled before the delay has expired, the requests already in the queue - are processed, even if the queue is not full. - In effect, this value controls the balance between latency and throughput. - The duration needs to be set to a value greater than or equal to 1 millisecond. - type: string - type: object - qat: - description: Use QAT private key provider - properties: - fallback: - description: |- - If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) - Envoy will fallback to the BoringSSL default implementation when the fallback is true. - The default value is false. - type: boolean - pollDelay: - description: |- - How long to wait before polling the hardware accelerator after a request has been submitted there. - Having a small value leads to quicker answers from the hardware but causes more polling loop spins, - leading to potentially larger CPU usage. - The duration needs to be set to a value greater than or equal to 1 millisecond. - type: string - type: object - type: object - x-kubernetes-validations: - - message: At most one of [cryptomb qat] should be set - rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0) - <= 1 - proxyAdminPort: - description: |- - Port on which Envoy should listen for administrative commands. - Default port is `15000`. - format: int32 - type: integer - proxyBootstrapTemplatePath: - description: Path to the proxy bootstrap template file - type: string - proxyHeaders: - description: "Define the set of headers to add/modify - for HTTP request/responses.\n\nTo enable an optional - header, simply set the field. If no specific configuration - is required, an empty object (`{}`) will enable it.\nNote: - currently all headers are enabled by default.\n\nBelow - shows an example of customizing the `server` header - and disabling the `X-Envoy-Attempt-Count` header:\n\n```yaml\nproxyHeaders:\n\n\tserver:\n\t - \ value: \"my-custom-server\"\n\trequestId: {} // Explicitly - enable Request IDs. As this is the default, this has - no effect.\n\tattemptCount:\n\t disabled: true\n\n```\n\nSome - headers are enabled by default, and require explicitly - disabling. See below for an example of disabling all - default-enabled headers:\n\n```yaml\nproxyHeaders:\n\n\tforwardedClientCert: - SANITIZE\n\tserver:\n\t disabled: true\n\trequestId:\n\t - \ disabled: true\n\tattemptCount:\n\t disabled: true\n\tenvoyDebugHeaders:\n\t - \ disabled: true\n\tmetadataExchangeHeaders:\n\t mode: - IN_MESH\n\n```" - properties: - attemptCount: - description: |- - Controls the `X-Envoy-Attempt-Count` header. - If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. - If disabled, this header will not be set. If it is already present, it will be preserved. - This header is enabled by default if not configured. - properties: - disabled: - type: boolean - type: object - envoyDebugHeaders: - description: |- - Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled, - these headers will be included. - If disabled, these headers will not be set. If they are already present, they will be preserved. - See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details. - These headers are enabled by default if not configured. - properties: - disabled: - type: boolean - type: object - forwardedClientCert: - description: |- - Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. - To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). - By default, `APPEND_FORWARD` will be used. - enum: - - UNDEFINED - - SANITIZE - - FORWARD_ONLY - - APPEND_FORWARD - - SANITIZE_SET - - ALWAYS_FORWARD_ONLY - type: string - metadataExchangeHeaders: - description: |- - Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`. - By default, the behavior is unspecified. - If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh. - properties: - mode: - enum: - - UNDEFINED - - IN_MESH - type: string - type: object - requestId: - description: |- - Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. - This applies to all types of traffic (inbound, outbound, and gateways). - If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. - Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. - This header is enabled by default if not configured. - properties: - disabled: - type: boolean - type: object - server: - description: |- - Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). - If disabled, the `Server` header is not modified. If it is already present, it will be preserved. - properties: - disabled: - type: boolean - value: - description: If set, and the server header is - enabled, this value will be set as the server - header. By default, `istio-envoy` will be used. - type: string - type: object - setCurrentClientCertDetails: - description: |- - This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET - and the client connection is mTLS. It specifies the fields in - the client certificate to be forwarded. Note that `Hash` is always set, and - `By` is always set when the client certificate presents the URI type Subject Alternative Name value. - properties: - cert: - description: |- - Whether to forward the entire client cert in URL encoded PEM format. This will appear in the - XFCC header comma separated from other values with the value Cert="PEM". - Defaults to false. - type: boolean - chain: - description: |- - Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM - format. This will appear in the XFCC header comma separated from other values with the value - Chain="PEM". - Defaults to false. - type: boolean - dns: - description: |- - Whether to forward the DNS type Subject Alternative Names of the client cert. - Defaults to true. - type: boolean - subject: - description: Whether to forward the subject of - the client cert. Defaults to true. - type: boolean - uri: - description: |- - Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to - true. - type: boolean - type: object - type: object - proxyMetadata: - additionalProperties: - type: string - description: |- - Additional environment variables for the proxy. - Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server. - type: object - proxyStatsMatcher: - description: "Proxy stats matcher defines configuration - for reporting custom Envoy stats.\nTo reduce memory - and CPU overhead from Envoy stats system, Istio proxies - by\ndefault create and expose only a subset of Envoy - stats. This option is to\ncontrol creation of additional - Envoy stats with prefix, suffix, and regex\nexpressions - match on the name of the stats. This replaces the stats\ninclusion - annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`, - and\n`sidecar.istio.io/statsInclusionSuffixes`). For - example, to enable stats\nfor circuit breakers, request - retries, upstream connections, and request timeouts,\nyou - can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\tinclusionRegexps:\n\t - \ - .*outlier_detection.*\n\t - .*upstream_rq_retry.*\n\t - \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t - upstream_rq_timeout\n\n```\nNote - including more Envoy stats might increase number of - time series\ncollected by prometheus significantly. - Care needs to be taken on Prometheus\nresource provision - and configuration to reduce cardinality." - properties: - inclusionPrefixes: - description: Proxy stats name prefix matcher for inclusion. - items: - type: string - type: array - inclusionRegexps: - description: Proxy stats name regexps matcher for - inclusion. - items: - type: string - type: array - inclusionSuffixes: - description: Proxy stats name suffix matcher for inclusion. - items: - type: string - type: array - type: object - readinessProbe: - description: |- - VM Health Checking readiness probe. This health check config exactly mirrors the - kubernetes readiness probe configuration both in schema and logic. - Only one health check method of 3 can be set at a time. - properties: - exec: - description: Exec specifies the action to take. - properties: - command: - description: |- - Command is the command line to execute inside the container, the working directory for the - command is root ('/') in the container's filesystem. The command is simply exec'd, it is - not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use - a shell, you need to explicitly call out to that shell. - Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - failureThreshold: - description: |- - Minimum consecutive failures for the probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. - format: int32 - type: integer - grpc: - description: GRPC specifies an action involving a - GRPC port. - properties: - port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. - format: int32 - type: integer - service: - default: "" - description: |- - Service is the name of the service to place in the gRPC HealthCheckRequest - (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - - If this is not specified, the default behavior is defined by gRPC. - type: string - required: - - port - type: object - httpGet: - description: HTTPGet specifies the http request to - perform. - properties: - host: - description: |- - Host name to connect to, defaults to the pod IP. You probably want to set - "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: |- - The header field name. - This will be canonicalized upon output, so case-variant names will be understood as the same header. - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - x-kubernetes-list-type: atomic - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Name or number of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: |- - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: |- - Number of seconds after the container has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - periodSeconds: - description: |- - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: |- - Minimum consecutive successes for the probe to be considered successful after having failed. - Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. - properties: - host: - description: 'Optional: Host name to connect to, - defaults to the pod IP.' - type: string - port: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the container. - Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: |- - Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after the processes running in the pod are sent - a termination signal and the time when the processes are forcibly halted with a kill signal. - Set this value longer than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates stop immediately via - the kill signal (no opportunity to shut down). - This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: |- - Number of seconds after which the probe times out. - Defaults to 1 second. Minimum value is 1. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - format: int32 - type: integer - type: object - runtimeValues: - additionalProperties: - type: string - description: |- - Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. - This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution. - type: object - sds: - description: |- - Secret Discovery Service(SDS) configuration to be used by the proxy. - - Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. - properties: - enabled: - description: True if SDS is enabled. - type: boolean - k8sSaJwtPath: - description: Path of k8s service account JWT path. - type: string - type: object - serviceCluster: - description: |- - Service cluster defines the name for the `service_cluster` that is - shared by all Envoy instances. This setting corresponds to - `--service-cluster` flag in Envoy. In a typical Envoy deployment, the - `service-cluster` flag is used to identify the caller, for - source-based routing scenarios. - - Since Istio does not assign a local `service/service` version to each - Envoy instance, the name is same for all of them. However, the - source/caller's identity (e.g., IP address) is encoded in the - `--service-node` flag when launching Envoy. When the RDS service - receives API calls from Envoy, it uses the value of the `service-node` - flag to compute routes that are relative to the service instances - located at that IP address. - type: string - statNameLength: - description: |- - Maximum length of name field in Envoy's metrics. The length of the name field - is determined by the length of a name field in a service and the set of labels that - comprise a particular version of the service. The default value is set to 189 characters. - Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. - Increase the value of this field if you find that the metrics from Envoys are truncated. - format: int32 - type: integer - statsdUdpAddress: - description: IP Address and Port of a statsd UDP listener - (e.g. `10.75.241.127:9125`). - type: string - statusPort: - description: |- - Port on which the agent should listen for administrative commands such as readiness probe. - Default is set to port `15020`. - format: int32 - type: integer - terminationDrainDuration: - description: |- - The amount of time allowed for connections to complete on proxy shutdown. - On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, - discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. - If not set, a default of `5s` will be applied. - type: string - tracing: - description: Tracing configuration to be used by the proxy. - properties: - customTags: - additionalProperties: - description: |- - Configure custom tags that will be added to any active span. - Tags can be generated via literals, environment variables or an incoming request header. - properties: - environment: - description: |- - The custom tag's value should be populated from an environmental - variable - properties: - defaultValue: - description: |- - When the environment variable is not found, - the tag's value will be populated with this default value if specified, - otherwise the tag will not be populated. - type: string - name: - description: Name of the environment variable - used to populate the tag's value - type: string - type: object - header: - description: |- - The custom tag's value is populated by an http header from - an incoming request. - properties: - defaultValue: - description: |- - Default value to be used for the tag when the named HTTP header does not exist. - The tag will be skipped if no default value is provided. - type: string - name: - description: HTTP header name used to obtain - the value from to populate the tag value. - type: string - type: object - literal: - description: The custom tag's value is the specified - literal. - properties: - value: - description: Static literal value used to - populate the tag value. - type: string - type: object - type: object - x-kubernetes-validations: - - message: At most one of [literal environment header] - should be set - rule: (has(self.literal)?1:0) + (has(self.environment)?1:0) - + (has(self.header)?1:0) <= 1 - description: "and gateways).\nThe key represents the - name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\tnew_tag_name:\n\t - \ header:\n\t name: custom-http-header-name\n\t - \ default_value: defaulted-value-from-custom-header\n\n```" - type: object - datadog: - description: Use a Datadog tracer. - properties: - address: - description: Address of the Datadog Agent. - type: string - type: object - lightstep: - description: |- - Use a Lightstep tracer. - NOTE: For Istio 1.15+, this configuration option will result - in using OpenTelemetry-based Lightstep integration. - properties: - accessToken: - description: The Lightstep access token. - type: string - address: - description: Address of the Lightstep Satellite - pool. - type: string - type: object - maxPathTagLength: - description: |- - Configures the maximum length of the request path to extract and include in the - HttpUrl tag. Used to truncate length request paths to meet the needs of tracing - backend. If not set, then a length of 256 will be used. - format: int32 - type: integer - openCensusAgent: - description: Use an OpenCensus tracer exporting to - an OpenCensus agent. - properties: - address: - description: |- - gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or - unix:path). See [gRPC naming - docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for - details. - type: string - context: - description: |- - Specifies the set of context propagation headers used for distributed - tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, - the proxy will attempt to read each header for each request and will - write all headers. - items: - description: |- - TraceContext selects the context propagation headers used for - distributed tracing. - enum: - - UNSPECIFIED - - W3C_TRACE_CONTEXT - - GRPC_BIN - - CLOUD_TRACE_CONTEXT - - B3 - type: string - type: array - type: object - sampling: - description: |- - The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, - if not requested by the client or not forced. Default is 1.0. - type: number - stackdriver: - description: Use a Stackdriver tracer. - properties: - debug: - description: debug enables trace output to stdout. - type: boolean - maxNumberOfAnnotations: - description: |- - The global default max number of annotation events per span. - default is 200. - format: int64 - type: integer - maxNumberOfAttributes: - description: |- - The global default max number of attributes per span. - default is 200. - format: int64 - type: integer - maxNumberOfMessageEvents: - description: |- - The global default max number of message events per span. - default is 200. - format: int64 - type: integer - type: object - tlsSettings: - description: |- - Use the tlsSettings to specify the tls mode to use. If the remote tracing service - uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - mode as `ISTIO_MUTUAL`. - properties: - caCertificates: - description: |- - OPTIONAL: The path to the file containing certificate authority - certificates to use in verifying a presented server certificate. If - omitted, the proxy will verify the server's certificate using - the OS CA certificates. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - caCrl: - description: |- - OPTIONAL: The path to the file containing the certificate revocation list (CRL) - to use in verifying a presented server certificate. `CRL` is a list of certificates - that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. - If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. - If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, - `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. - type: string - clientCertificate: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client-side TLS certificate to use. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - credentialName: - description: |- - The name of the secret that holds the TLS certs for the - client including the CA certificates. This secret must exist in - the namespace of the proxy using the certificates. - An Opaque secret should contain the following keys and values: - `key: `, `cert: `, `cacert: `, - `crl: ` - Here CACertificate is used to verify the server certificate. - For mutual TLS, `cacert: ` can be provided in the - same secret or a separate secret named `-cacert`. - A TLS secret for client certificates with an additional - `ca.crt` key for CA certificates and `ca.crl` key for - certificate revocation list(CRL) is also supported. - Only one of client certificates and CA certificate - or credentialName can be specified. - - **NOTE:** This field is applicable at sidecars only if - `DestinationRule` has a `workloadSelector` specified. - Otherwise the field will be applicable only at gateways, and - sidecars will continue to use the certificate paths. - type: string - insecureSkipVerify: - description: |- - `insecureSkipVerify` specifies whether the proxy should skip verifying the - CA signature and SAN for the server certificate corresponding to the host. - The default value of this field is false. - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured - using TLS. The value of this field determines how TLS is enforced. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: |- - REQUIRED if mode is `MUTUAL`. The path to the file holding the - client's private key. - Should be empty if mode is `ISTIO_MUTUAL`. - type: string - sni: - description: |- - SNI string to present to the server during TLS handshake. - If unspecified, SNI will be automatically set based on downstream HTTP - host/authority header for SIMPLE and MUTUAL TLS modes. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate. If specified, the proxy will verify that the server - certificate's subject alt name matches one of the specified values. - If specified, this list overrides the value of subject_alt_names - from the ServiceEntry. If unspecified, automatic validation of upstream - presented certificate for new upstream connections will be done based on the - downstream HTTP host/authority header. - items: - type: string - type: array - type: object - zipkin: - description: Use a Zipkin tracer. - properties: - address: - description: Address of the Zipkin service (e.g. - _zipkin:9411_). - type: string - type: object - type: object - x-kubernetes-validations: - - message: At most one of [zipkin lightstep datadog stackdriver - openCensusAgent] should be set - rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) - + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) - + (has(self.openCensusAgent)?1:0) <= 1 - tracingServiceName: - description: |- - Used by Envoy proxies to assign the values for the service names in trace - spans. - enum: - - APP_LABEL_AND_NAMESPACE - - CANONICAL_NAME_ONLY - - CANONICAL_NAME_AND_NAMESPACE - type: string - zipkinAddress: - description: |- - Address of the Zipkin service (e.g. _zipkin:9411_). - DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead. - - Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. - type: string - type: object - x-kubernetes-validations: - - message: At most one of [serviceCluster tracingServiceName] - should be set - rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0) - <= 1 - defaultDestinationRuleExportTo: - description: |- - The default value for the `DestinationRule.exportTo` field. Has the same - syntax as `defaultServiceExportTo`. - - If not set the system will use "*" as the default value which implies that - destination rules are exported to all namespaces - items: - type: string - type: array - defaultHttpRetryPolicy: - description: "Configure the default HTTP retry policy.\nThe - default number of retry attempts is set at 2 for these errors:\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\nSetting - the number of attempts to 0 disables retry policy globally.\nThis - setting can be overridden on a per-host basis using the - Virtual Service\nAPI.\nAll settings in the retry policy - except `perTryTimeout` can currently be\nconfigured globally - via this field." - properties: - attempts: - description: |- - Number of retries to be allowed for a given request. The interval - between retries will be determined automatically (25ms+). When request - `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) - or `per_try_timeout` is configured, the actual number of retries attempted also depends on - the specified request `timeout` and `per_try_timeout` values. MUST BE >= 0. If `0`, retries will be disabled. - The maximum possible number of requests made will be 1 + `attempts`. - format: int32 - type: integer - perTryTimeout: - description: |- - Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms. - Default is same value as request - `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), - which means no timeout. - type: string - retryOn: - description: |- - Specifies the conditions under which retry takes place. - One or more policies can be specified using a ‘,’ delimited list. - See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) - and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details. - - In addition to the policies specified above, a list of HTTP status codes can be passed, such as `retryOn: "503,reset"`. - Note these status codes refer to the actual responses received from the destination. - For example, if a connection is reset, Istio will translate this to 503 for it's response. - However, the destination did not return a 503 error, so this would not match `"503"` (it would, however, match `"reset"`). - - If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled,503`. - type: string - retryRemoteLocalities: - description: |- - Flag to specify whether the retries should retry to other localities. - See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details. - type: boolean - type: object - defaultProviders: - description: Specifies extension providers to use by default - in Istio configuration resources. - properties: - accessLogging: - description: Name of the default provider(s) for access - logging. - items: - type: string - type: array - metrics: - description: Name of the default provider(s) for metrics. - items: - type: string - type: array - tracing: - description: Name of the default provider(s) for tracing. - items: - type: string - type: array - type: object - defaultServiceExportTo: - description: |- - The default value for the ServiceEntry.exportTo field and services - imported through container registry integrations, e.g. this applies to - Kubernetes Service resources. The value is a list of namespace names and - reserved namespace aliases. The allowed namespace aliases are: - ``` - * - All Namespaces - . - Current Namespace - ~ - No Namespace - ``` - If not set the system will use "*" as the default value which implies that - services are exported to all namespaces. - - `All namespaces` is a reasonable default for implementations that don't - need to restrict access or visibility of services across namespace - boundaries. If that requirement is present it is generally good practice to - make the default `Current namespace` so that services are only visible - within their own namespaces by default. Operators can then expand the - visibility of services to other namespaces as needed. Use of `No Namespace` - is expected to be rare but can have utility for deployments where - dependency management needs to be precise even within the scope of a single - namespace. - - For further discussion see the reference documentation for `ServiceEntry`, - `Sidecar`, and `Gateway`. - items: - type: string - type: array - defaultVirtualServiceExportTo: - description: |- - The default value for the VirtualService.exportTo field. Has the same - syntax as `defaultServiceExportTo`. - - If not set the system will use "*" as the default value which implies that - virtual services are exported to all namespaces - items: - type: string - type: array - disableEnvoyListenerLog: - description: |- - This flag disables Envoy Listener logs. - See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) - Istio Enables Envoy's listener access logs on "NoRoute" response flag. - Default value is `false`. - type: boolean - discoverySelectors: - description: |- - A list of Kubernetes selectors that specify the set of namespaces that Istio considers when - computing configuration updates for sidecars. This can be used to reduce Istio's computational load - by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. - If omitted, Istio will use the default behavior of processing all namespaces in the cluster. - Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. - The following example selects any namespace that matches either below: - 1. The namespace has both of these labels: `env: prod` and `region: us-east1` - 2. The namespace has label `app` equal to `cassandra` or `spark`. - ```yaml - discoverySelectors: - - matchLabels: - env: prod - region: us-east1 - - matchExpressions: - - key: app - operator: In - values: - - cassandra - - spark - - ``` - Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) - for additional detail on selector semantics. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - dnsRefreshRate: - description: |- - Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` - Default refresh rate is `60s`. - type: string - enableAutoMtls: - description: |- - This flag is used to enable mutual `TLS` automatically for service to service communication - within the mesh, default true. - If set to true, and a given service does not have a corresponding `DestinationRule` configured, - or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side - TLS configuration appropriately. More specifically, - If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate - for mutual `TLS` to connect to upstream. - If upstream service is in plain text mode, use plain text. - If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use - mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. - If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. - type: boolean - enableEnvoyAccessLogService: - description: |- - This flag enables Envoy's gRPC Access Log Service. - See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) - for details about Envoy's gRPC Access Log Service API. - Default value is `false`. - type: boolean - enablePrometheusMerge: - description: |- - If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy - and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod - and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. - This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and - `prometheus.io/path` annotations. - If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. - In this case, it is recommended to disable aggregation on that deployment with the - `prometheus.istio.io/merge-metrics: "false"` annotation. - If not specified, this will be enabled by default. - type: boolean - enableTracing: - description: |- - Flag to control generation of trace spans and request IDs. - Requires a trace span collector defined in the proxy configuration. - type: boolean - extensionProviders: - description: |- - Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy - can be used with an extension provider to delegate the authorization decision to a custom authorization system. - items: - properties: - datadog: - description: Configures a Datadog tracing provider. - properties: - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the Datadog agent. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com". - type: string - required: - - port - - service - type: object - envoyExtAuthzGrpc: - description: Configures an external authorizer that - implements the Envoy ext_authz filter authorization - check service using the gRPC API. - properties: - failOpen: - description: |- - If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, - or if the authorization service has returned a HTTP 5xx error. - Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. - type: boolean - includeRequestBodyInCheck: - description: If set, the client request body will - be included in the authorization request sent - to the authorization service. - properties: - allowPartialMessage: - description: |- - When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. - The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. - A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message - indicating if the body data is partial. - type: boolean - maxRequestBytes: - description: |- - Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). - Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the - failOpen is set to true. - format: int32 - type: integer - packAsBytes: - description: |- - If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes - in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). - Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. - type: boolean - type: object - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". - type: string - statusOnError: - description: |- - Sets the HTTP status that is returned to the client when there is a network error to the authorization service. - The default status is "403" (HTTP Forbidden). - type: string - timeout: - description: |- - The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). - When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `failOpen` field. - type: string - required: - - port - - service - type: object - envoyExtAuthzHttp: - description: Configures an external authorizer that - implements the Envoy ext_authz filter authorization - check service using the HTTP API. - properties: - failOpen: - description: |- - If true, the user request will be allowed even if the communication with the authorization service has failed, - or if the authorization service has returned a HTTP 5xx error. - Default is false and the request will be rejected with "Forbidden" response. - type: boolean - headersToDownstreamOnAllow: - description: |- - List of headers from the authorization service that should be forwarded to downstream when the authorization - check result is allowed (HTTP code 200). - If not specified, the original response will not be modified and forwarded to downstream as-is. - Note, any existing headers will be overridden. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - headersToDownstreamOnDeny: - description: |- - List of headers from the authorization service that should be forwarded to downstream when the authorization - check result is not allowed (HTTP code other than 200). - If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to - the downstream. - When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are - automatically added. - Note, the body from the authorization service is always included in the response to downstream. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - headersToUpstreamOnAllow: - description: |- - List of headers from the authorization service that should be added or overridden in the original request and - forwarded to the upstream when the authorization check result is allowed (HTTP code 200). - If not specified, the original request will not be modified and forwarded to backend as-is. - Note, any existing headers will be overridden. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - includeAdditionalHeadersInCheck: - additionalProperties: - type: string - description: |- - Set of additional fixed headers that should be included in the authorization request sent to the authorization service. - Key is the header name and value is the header value. - Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. - type: object - includeHeadersInCheck: - description: |- - DEPRECATED. Use includeRequestHeadersInCheck instead. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - items: - type: string - type: array - includeRequestBodyInCheck: - description: If set, the client request body will - be included in the authorization request sent - to the authorization service. - properties: - allowPartialMessage: - description: |- - When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. - The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. - A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message - indicating if the body data is partial. - type: boolean - maxRequestBytes: - description: |- - Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). - Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the - failOpen is set to true. - format: int32 - type: integer - packAsBytes: - description: |- - If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes - in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). - Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. - type: boolean - type: object - includeRequestHeadersInCheck: - description: |- - List of client request headers that should be included in the authorization request sent to the authorization service. - Note that in addition to the headers specified here following headers are included by default: - 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. - 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), - consequently the value of Content-Length of the authorization request reflects the size of its payload size. - - Exact, prefix and suffix matches are supported (similar to the - [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) - except the presence match): - - Exact match: "abc" will match on value "abc". - - Prefix match: "abc*" will match on value "abc" and "abcd". - - Suffix match: "*abc" will match on value "abc" and "xabc". - items: - type: string - type: array - pathPrefix: - description: |- - Sets a prefix to the value of authorization request header *Path*. - For example, setting this to "/check" for an original user request at path "/admin" will cause the - authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". - type: string - statusOnError: - description: |- - Sets the HTTP status that is returned to the client when there is a network error to the authorization service. - The default status is "403" (HTTP Forbidden). - type: string - timeout: - description: |- - The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). - When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `failOpen` field. - type: string - required: - - port - - service - type: object - envoyFileAccessLog: - description: Configures an Envoy File Access Log provider. - properties: - logFormat: - description: Optional. Allows overriding of the - default access log format. - properties: - labels: - additionalProperties: - type: string - description: "JSON structured format for the - envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan - be used as values for fields within the Struct. - Values are rendered\nas strings, numbers, - or boolean values, as appropriate\n(see: [format - dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). - Nested JSON is\nsupported for some command - operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse - `labels: {}` for default envoy JSON log format.\n\nExample:\n```\nlabels:\n\n\tstatus: - \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" - type: object - text: - description: |- - Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be - used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) - provides more information. - - NOTE: Istio will insert a newline ('\n') on all formats (if missing). - - Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` - type: string - type: object - x-kubernetes-validations: - - message: At most one of [text labels] should be - set - rule: (has(self.text)?1:0) + (has(self.labels)?1:0) - <= 1 - path: - description: |- - Path to a local file to write the access log entries. - This may be used to write to streams, via `/dev/stderr` and `/dev/stdout` - If unspecified, defaults to `/dev/stdout`. - type: string - type: object - envoyHttpAls: - description: Configures an Envoy Access Logging Service - provider for HTTP traffic. - properties: - additionalRequestHeadersToLog: - description: Optional. Additional request headers - to log. - items: - type: string - type: array - additionalResponseHeadersToLog: - description: Optional. Additional response headers - to log. - items: - type: string - type: array - additionalResponseTrailersToLog: - description: Optional. Additional response trailers - to log. - items: - type: string - type: array - filterStateObjectsToLog: - description: Optional. Additional filter state objects - to log. - items: - type: string - type: array - logName: - description: |- - Optional. The friendly name of the access log. - Defaults: - - "http_envoy_accesslog" - - "listener_envoy_accesslog" - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". - type: string - required: - - port - - service - type: object - envoyOtelAls: - description: Configures an Envoy Open Telemetry Access - Logging Service provider. - properties: - logFormat: - description: |- - Optional. Format for the proxy access log - Empty value results in proxy's default access log format, following Envoy access logging formatting. - properties: - labels: - additionalProperties: - type: string - description: "Optional. Additional attributes - that describe the specific event occurrence.\nStructured - format for the envoy access logs. Envoy [command - operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan - be used as values for fields within the Struct. - Values are rendered\nas strings, numbers, - or boolean values, as appropriate\n(see: [format - dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). - Nested JSON is\nsupported for some command - operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: - \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" - type: object - text: - description: |- - Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be - used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) - provides more information. - Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) - Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` - type: string - type: object - logName: - description: |- - Optional. The friendly name of the access log. - Defaults: - - "otel_envoy_accesslog" - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". - type: string - required: - - port - - service - type: object - envoyTcpAls: - description: Configures an Envoy Access Logging Service - provider for TCP traffic. - properties: - filterStateObjectsToLog: - description: Optional. Additional filter state objects - to log. - items: - type: string - type: array - logName: - description: |- - Optional. The friendly name of the access log. - Defaults: - - "tcp_envoy_accesslog" - - "listener_envoy_accesslog" - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". - type: string - required: - - port - - service - type: object - lightstep: - description: |- - Configures a Lightstep tracing provider. - Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027 - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - properties: - accessToken: - description: The Lightstep access token. - type: string - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the Lightstep collector. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com". - type: string - required: - - port - - service - type: object - name: - description: REQUIRED. A unique name identifying the - extension provider. - type: string - opencensus: - description: |- - Configures an OpenCensusAgent tracing provider. - Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/ - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - properties: - context: - description: |- - Specifies the set of context propagation headers used for distributed - tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, - the proxy will attempt to read each header for each request and will - write all headers. - items: - description: |- - TraceContext selects the context propagation headers used for - distributed tracing. - enum: - - UNSPECIFIED - - W3C_TRACE_CONTEXT - - GRPC_BIN - - CLOUD_TRACE_CONTEXT - - B3 - type: string - type: array - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the OpenCensusAgent. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com". - type: string - required: - - port - - service - type: object - opentelemetry: - description: Configures an OpenTelemetry tracing provider. - properties: - dynatraceSampler: - description: |- - The Dynatrace adaptive traffic management (ATM) sampler. - - Example configuration: - - ```yaml - - name: otel-tracing - opentelemetry: - port: 443 - service: "{your-environment-id}.live.dynatrace.com" - http: - path: "/api/v2/otlp/v1/traces" - timeout: 10s - headers: - - name: "Authorization" - value: "Api-Token dt0c01." - resourceDetectors: - dynatrace: {} - dynatraceSampler: - tenant: "{your-environment-id}" - clusterId: 1234 - properties: - clusterId: - description: |- - REQUIRED. The identifier of the cluster in the Dynatrace platform. - The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy. - - The value can be obtained from the Istio deployment page in Dynatrace. - format: int32 - type: integer - httpService: - description: |- - Optional. Dynatrace HTTP API to obtain sampling configuration. - - When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter - (`service`, `port` and `http`), including the access token. - properties: - http: - description: REQUIRED. Specifies sampling - configuration URI. - properties: - headers: - description: |- - Optional. Allows specifying custom HTTP headers that will be added - to each HTTP request sent. - items: - properties: - name: - description: REQUIRED. The HTTP - header name. - type: string - value: - description: REQUIRED. The HTTP - header value. - type: string - required: - - name - - value - type: object - type: array - path: - description: REQUIRED. Specifies the - path on the service. - type: string - timeout: - description: |- - Optional. Specifies the timeout for the HTTP request. - If not specified, the default is 3s. - type: string - required: - - path - type: object - port: - description: REQUIRED. Specifies the port - of the service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. - The format is ``, where `` is the fully qualified Dynatrace environment - host name defined in the ServiceEntry. - - Example: "{your-environment-id}.live.dynatrace.com". - type: string - required: - - http - - port - - service - type: object - rootSpansPerMinute: - description: |- - Optional. Number of sampled spans per minute to be used - when the adaptive value cannot be obtained from the Dynatrace API. - - A default value of `1000` is used when: - - - `rootSpansPerMinute` is unset - - `rootSpansPerMinute` is set to 0 - format: int32 - type: integer - tenant: - description: |- - REQUIRED. The Dynatrace customer's tenant identifier. - - The value can be obtained from the Istio deployment page in Dynatrace. - type: string - required: - - clusterId - - tenant - type: object - grpc: - description: "Optional. Specifies the configuration - for exporting OTLP traces via GRPC.\nWhen empty, - traces will check whether HTTP is set.\nIf not, - traces will use default GRPC configurations.\n\nThe - following example shows how to configure the OpenTelemetry - ExtensionProvider to export via GRPC:\n\n1. Add/change - the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n - \ - name: opentelemetry\n opentelemetry:\n - \ port: 8090\n service: tracing.example.com\n - \ grpc:\n timeout: 10s\n initialMetadata:\n - \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. - Deploy a `ServiceEntry` for the observability - back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: - ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- - tracing.example.com\n\tports:\n\t- number: 8090\n\t - \ name: grpc-port\n\t protocol: GRPC\n\tresolution: - DNS\n\tlocation: MESH_EXTERNAL\n\n```" - properties: - initialMetadata: - description: |- - Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for - scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to - be injected. - items: - properties: - name: - description: REQUIRED. The HTTP header - name. - type: string - value: - description: REQUIRED. The HTTP header - value. - type: string - required: - - name - - value - type: object - type: array - timeout: - description: Optional. Specifies the timeout - for the GRPC request. - type: string - type: object - http: - description: "Optional. Specifies the configuration - for exporting OTLP traces via HTTP.\nWhen empty, - traces will be exported via gRPC.\n\nThe following - example shows how to configure the OpenTelemetry - ExtensionProvider to export via HTTP:\n\n1. Add/change - the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n - \ - name: otel-tracing\n opentelemetry:\n port: - 443\n service: my.olly-backend.com\n http:\n - \ path: \"/api/otlp/traces\"\n timeout: 10s\n - \ headers:\n - name: \"my-custom-header\"\n - \ value: \"some value\"\n\n```\n\n2. Deploy - a `ServiceEntry` for the observability back-end\n```yaml\napiVersion: - networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\tname: - my-olly-backend\n\nspec:\n\n\thosts:\n\t- my.olly-backend.com\n\tports:\n\t- - number: 443\n\t name: https-port\n\t protocol: - HTTPS\n\tresolution: DNS\n\tlocation: MESH_EXTERNAL\n\n---\napiVersion: - networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\tname: - my-olly-backend\n\nspec:\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t - \ portLevelSettings:\n\t - port:\n\t number: - 443\n\t tls:\n\t mode: SIMPLE\n\n```" - properties: - headers: - description: |- - Optional. Allows specifying custom HTTP headers that will be added - to each HTTP request sent. - items: - properties: - name: - description: REQUIRED. The HTTP header - name. - type: string - value: - description: REQUIRED. The HTTP header - value. - type: string - required: - - name - - value - type: object - type: array - path: - description: REQUIRED. Specifies the path on - the service. - type: string - timeout: - description: |- - Optional. Specifies the timeout for the HTTP request. - If not specified, the default is 3s. - type: string - required: - - path - type: object - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - resourceDetectors: - description: |- - Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) - to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged - according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). - - The following example shows how to configure the Environment Resource Detector, that will - read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: - - ```yaml - - name: otel-tracing - opentelemetry: - port: 443 - service: my.olly-backend.com - resourceDetectors: - environment: {} - - ``` - properties: - dynatrace: - description: |- - Dynatrace Resource Detector. - The resource detector reads from the Dynatrace enrichment files - and adds host/process related attributes to the OpenTelemetry resource. - - See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files) - type: object - environment: - description: |- - OpenTelemetry Environment Resource Detector. - The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES` - and adds them to the OpenTelemetry resource. - - See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable) - type: object - type: object - service: - description: |- - REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". - type: string - required: - - port - - service - type: object - x-kubernetes-validations: - - message: At most one of [dynatraceSampler] should - be set - rule: (has(self.dynatraceSampler)?1:0) <= 1 - prometheus: - description: Configures a Prometheus metrics provider. - type: object - skywalking: - description: Configures a Apache SkyWalking provider. - properties: - accessToken: - description: Optional. The SkyWalking OAP access - token. - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service for the SkyWalking receiver. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com". - type: string - required: - - port - - service - type: object - stackdriver: - description: Configures a Stackdriver provider. - properties: - debug: - description: |- - debug enables trace output to stdout. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - type: boolean - logging: - description: Optional. Controls Stackdriver logging - behavior. - properties: - labels: - additionalProperties: - type: string - description: "Collection of tag names and tag - expressions to include in the log\nentry. - Conflicts are resolved by the tag name by - overriding previously\nsupplied values.\n\nExample:\n\n\tlabels:\n\t - \ path: request.url_path\n\t foo: request.headers['x-foo']" - type: object - type: object - maxNumberOfAnnotations: - description: |- - The global default max number of annotation events per span. - default is 200. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - format: int64 - type: integer - maxNumberOfAttributes: - description: |- - The global default max number of attributes per span. - default is 200. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - format: int64 - type: integer - maxNumberOfMessageEvents: - description: |- - The global default max number of message events per span. - default is 200. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - format: int64 - type: integer - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - type: object - zipkin: - description: Configures a tracing provider that uses - the Zipkin API. - properties: - enable64bitTraceId: - description: |- - Optional. A 128 bit trace id will be used in Istio. - If true, will result in a 64 bit trace id being used. - type: boolean - maxTagLength: - description: |- - Optional. Controls the overall path length allowed in a reported span. - NOTE: currently only controls max length of the path tag. - format: int32 - type: integer - path: - description: |- - Optional. Specifies the endpoint of Zipkin API. - The default value is "/api/v2/spans". - type: string - port: - description: REQUIRED. Specifies the port of the - service. - format: int32 - type: integer - service: - description: |- - REQUIRED. Specifies the service that the Zipkin API. - The format is `[/]`. The specification of `` is required only when it is insufficient - to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a - service defined by the Kubernetes service or ServiceEntry. - - Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". - type: string - required: - - port - - service - type: object - required: - - name - type: object - x-kubernetes-validations: - - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc - zipkin lightstep datadog stackdriver opencensus skywalking - opentelemetry prometheus envoyFileAccessLog envoyHttpAls - envoyTcpAls envoyOtelAls] should be set - rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) - + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) - + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) - + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) - + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) - + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) - + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) - <= 1 - maxItems: 1000 - type: array - h2UpgradePolicy: - description: |- - Specify if http1.1 connections should be upgraded to http2 by default. - if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`. - If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`. - It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override. - enum: - - DO_NOT_UPGRADE - - UPGRADE - type: string - inboundClusterStatName: - description: |- - Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for - network filters like TCP and Redis. - By default, Istio emits statistics with the pattern `inbound|||`. - For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. - - A Pattern can be composed of various pre-defined variables. The following variables are supported. - - - `%SERVICE%` - Will be substituted with short hostname of the service. - - `%SERVICE_NAME%` - Will be substituted with name of the service. - - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - - `%SERVICE_PORT%` - Will be substituted with port of the service. - - `%TARGET_PORT%` - Will be substituted with the target port of the service. - - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. - - Following are some examples of supported patterns for reviews: - - - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. - - `%SERVICE%` will use reviews.prod as the stats name. - type: string - inboundTrafficPolicy: - description: |- - Set the default behavior of the sidecar for handling inbound - traffic to the application. If your application listens on - localhost, you will need to set this to `LOCALHOST`. - properties: - mode: - enum: - - PASSTHROUGH - - LOCALHOST - type: string - type: object - ingressClass: - description: |- - Class of ingress resources to be processed by Istio ingress - controller. This corresponds to the value of - `kubernetes.io/ingress.class` annotation. - type: string - ingressControllerMode: - description: |- - Defines whether to use Istio ingress controller for annotated or all ingress resources. - Default mode is `STRICT`. - enum: - - UNSPECIFIED - - "OFF" - - DEFAULT - - STRICT - type: string - ingressSelector: - description: |- - Defines which gateway deployment to use as the Ingress controller. This field corresponds to - the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. - By default, `ingressgateway` is used, which will select the default IngressGateway as it has the - `istio: ingressgateway` labels. - It is recommended that this is the same value as ingressService. - type: string - ingressService: - description: |- - Name of the Kubernetes service used for the istio ingress controller. - If no ingress controller is specified, the default value `istio-ingressgateway` is used. - type: string - localityLbSetting: - description: |- - Locality based load balancing distribution or failover settings. - If unspecified, locality based load balancing will be enabled by default. - However, this requires outlierDetection to actually take effect for a particular - service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ - properties: - distribute: - description: |- - Optional: only one of distribute, failover or failoverPriority can be set. - Explicitly specify loadbalancing weight across different zones and geographical locations. - Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) - If empty, the locality weight is set according to the endpoints number within it. - items: - description: |- - Describes how traffic originating in the 'from' zone or sub-zone is - distributed over a set of 'to' zones. Syntax for specifying a zone is - {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any - segment of the specification. Examples: - - `*` - matches all localities - - `us-west/*` - all zones and sub-zones within the us-west region - - `us-west/zone-1/*` - all sub-zones within us-west/zone-1 - properties: - from: - description: Originating locality, '/' separated, - e.g. 'region/zone/sub_zone'. - type: string - to: - additionalProperties: - format: int32 - type: integer - description: |- - Map of upstream localities to traffic distribution weights. The sum of - all weights should be 100. Any locality not present will - receive no traffic. - type: object - type: object - type: array - enabled: - description: |- - enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is. - type: boolean - failover: - description: |- - Optional: only one of distribute, failover or failoverPriority can be set. - Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. - Should be used together with OutlierDetection to detect unhealthy endpoints. - Note: if no OutlierDetection specified, this will not take effect. - items: - description: |- - Specify the traffic failover policy across regions. Since zone and sub-zone - failover is supported by default this only needs to be specified for - regions when the operator needs to constrain traffic failover so that - the default behavior of failing over to any endpoint globally does not - apply. This is useful when failing over traffic across regions would not - improve service health or may need to be restricted for other reasons - like regulatory controls. - properties: - from: - description: Originating region. - type: string - to: - description: |- - Destination region the traffic will fail over to when endpoints in - the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: |- - failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. - This is to support traffic failover across different groups of endpoints. - Two kinds of labels can be specified: - - - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints. - Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified: - - 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. - 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. - 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. - 4. All the other endpoints have priority P(N) i.e. lowest priority. - - - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints. - Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified: - - 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority. - 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority. - 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority. - 4. All the other endpoints have priority P(N) i.e. lowest priority. - - Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. - - It can be any label specified on both client and server workloads. - The following labels which have special semantic meaning are also supported: - - - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. - - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. - - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. - - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. - - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. - - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`. - - The below topology config indicates the following priority levels: - - ```yaml - failoverPriority: - - "topology.istio.io/network" - - "topology.kubernetes.io/region" - - "topology.kubernetes.io/zone" - - "topology.istio.io/subzone" - ``` - - 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. - 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. - 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. - 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. - 5. all the other endpoints have the same lowest priority. - - Suppose a service associated endpoints reside in multi clusters, the below example represents: - 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority. - 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority. - 2. all the other endpoints have P(2) priority. - - ```yaml - failoverPriority: - - "version=v1" - - "topology.istio.io/cluster=clusterA" - ``` - - Optional: only one of distribute, failover or failoverPriority can be set. - And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect. - items: - type: string - type: array - type: object - meshMTLS: - description: "The below configuration parameters can be used - to specify TLSConfig for mesh traffic.\nFor example, a user - could enable min TLS version for ISTIO_MUTUAL traffic and - specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\tmeshMTLS:\n\t - \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t Note: - applicable only for non ISTIO_MUTUAL scenarios\n\t ecdhCurves:\n\t - \ - P-256\n\t - P-512\n\n```\nConfiguration of mTLS - for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\nNote: - Mesh mTLS does not respect ECDH curves." - properties: - cipherSuites: - description: |- - Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. - If not specified, the following cipher suites will be used: - ``` - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-GCM-SHA256 - ``` - items: - type: string - type: array - ecdhCurves: - description: |- - Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. - If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to - [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). - items: - type: string - type: array - minProtocolVersion: - description: |- - Optional: the minimum TLS protocol version. The default minimum - TLS version will be TLS 1.2. As servers may not be Envoy and be - set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the - minimum TLS version for clients may also be TLS 1.2. - In the current Istio implementation, the maximum TLS protocol version - is TLS 1.3. - enum: - - TLS_AUTO - - TLSV1_2 - - TLSV1_3 - type: string - type: object - outboundClusterStatName: - description: |- - Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for - network filters like TCP and Redis. - By default, Istio emits statistics with the pattern `outbound|||`. - For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. - - A Pattern can be composed of various pre-defined variables. The following variables are supported. - - - `%SERVICE%` - Will be substituted with short hostname of the service. - - `%SERVICE_NAME%` - Will be substituted with name of the service. - - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - - `%SERVICE_PORT%` - Will be substituted with port of the service. - - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. - - `%SUBSET_NAME%` - Will be substituted with subset. - - Following are some examples of supported patterns for reviews: - - - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. - - `%SERVICE%` will use reviews.prod as the stats name. - type: string - outboundTrafficPolicy: - description: |- - Set the default behavior of the sidecar for handling outbound - traffic from the application. - - Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the - [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy). - - Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed. - properties: - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - pathNormalization: - description: |- - ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are - normalized by the sidecars and gateways. - The normalized paths will be used in all aspects through the requests' lifetime on the - sidecars and gateways, which includes routing decisions in outbound direction (client proxy), - authorization policy match and enforcement in inbound direction (server proxy), and the URL - path proxied to the upstream service. - If not set, the NormalizationType.DEFAULT configuration will be used. - properties: - normalization: - enum: - - DEFAULT - - NONE - - BASE - - MERGE_SLASHES - - DECODE_AND_MERGE_SLASHES - type: string - type: object - protocolDetectionTimeout: - description: |- - Automatic protocol detection uses a set of heuristics to - determine whether the connection is using TLS or not (on the - server side), as well as the application protocol being used - (e.g., http vs tcp). These heuristics rely on the client sending - the first bits of data. For server first protocols like MySQL, - MongoDB, etc. Envoy will timeout on the protocol detection after - the specified period, defaulting to non mTLS plain TCP - traffic. Set this field to tweak the period that Envoy will wait - for the client to send the first bits of data. (MUST BE >=1ms or - 0s to disable). Default detection timeout is 0s (no timeout). - - Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit - occasionally, and when they occur the result is typically broken traffic that may not - recover on its own. Exceptionally high values might solve this, but injecting 60s delays - onto new connections is generally not tenable anyways. - type: string - proxyHttpPort: - description: Port on which Envoy should listen for HTTP PROXY - requests if set. - format: int32 - type: integer - proxyInboundListenPort: - description: |- - Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. - Default port is 15006. - format: int32 - type: integer - proxyListenPort: - description: |- - Port on which Envoy should listen for all outbound traffic to other services. - Default port is 15001. - format: int32 - type: integer - rootNamespace: - description: |- - The namespace to treat as the administrative root namespace for - Istio configuration. When processing a leaf namespace Istio will search for - declarations in that namespace first and if none are found it will - search in the root namespace. Any matching declaration found in the root - namespace is processed as if it were declared in the leaf namespace. - - The precise semantics of this processing are documented on each resource - type. - type: string - serviceSettings: - description: Settings to be applied to select services. - items: - description: |- - Settings to be applied to select services. - - For example, the following configures all services in namespace "foo" as well as the - "bar" service in namespace "baz" to be considered cluster-local: - - ```yaml - serviceSettings: - - settings: - clusterLocal: true - hosts: - - "*.foo.svc.cluster.local" - - "bar.baz.svc.cluster.local" - - ``` - properties: - hosts: - description: |- - The services to which the Settings should be applied. Services are selected using the hostname - matching rules used by DestinationRule. - - For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local - items: - type: string - type: array - settings: - description: The settings to apply to the selected services. - properties: - clusterLocal: - description: |- - If true, specifies that the client and service endpoints must reside in the same cluster. - By default, in multi-cluster deployments, the Istio control plane assumes all service - endpoints to be reachable from any client in any of the clusters which are part of the - mesh. This configuration option limits the set of service endpoints visible to a client - to be cluster scoped. - - There are some common scenarios when this can be useful: - - - A service (or group of services) is inherently local to the cluster and has local storage - for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). - - A mesh administrator wants to slowly migrate services to Istio. They might start by first - having services cluster-local and then slowly transition them to mesh-wide. They could do - this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group - (e.g. *.myns.svc.cluster.local). - - By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all - services in the kube-system namespace to be cluster-local, unless explicitly overridden here. - type: boolean - type: object - type: object - type: array - tcpKeepalive: - description: If set then set `SO_KEEPALIVE` on the socket - to enable TCP Keepalives. - properties: - interval: - description: |- - The time duration between keep-alive probes. - Default is to use the OS level configuration - (unless overridden, Linux defaults to 75s.) - type: string - probes: - description: |- - Maximum number of keepalive probes to send without response before - deciding the connection is dead. Default is to use the OS level configuration - (unless overridden, Linux defaults to 9.) - format: int32 - type: integer - time: - description: |- - The time duration a connection needs to be idle before keep-alive - probes start being sent. Default is to use the OS level configuration - (unless overridden, Linux defaults to 7200s (ie 2 hours.) - type: string - type: object - tlsDefaults: - description: |- - Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdhCurves and cipherSuites only. - For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. - properties: - cipherSuites: - description: |- - Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. - If not specified, the following cipher suites will be used: - ``` - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-GCM-SHA256 - ``` - items: - type: string - type: array - ecdhCurves: - description: |- - Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. - If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to - [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). - items: - type: string - type: array - minProtocolVersion: - description: |- - Optional: the minimum TLS protocol version. The default minimum - TLS version will be TLS 1.2. As servers may not be Envoy and be - set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the - minimum TLS version for clients may also be TLS 1.2. - In the current Istio implementation, the maximum TLS protocol version - is TLS 1.3. - enum: - - TLS_AUTO - - TLSV1_2 - - TLSV1_3 - type: string - type: object - trustDomain: - description: |- - The trust domain corresponds to the trust root of a system. - Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) - type: string - trustDomainAliases: - description: |- - The trust domain aliases represent the aliases of `trustDomain`. - For example, if we have - ```yaml - trustDomain: td1 - trustDomainAliases: ["td2", "td3"] - ``` - Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, - or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. - items: - type: string - type: array - verifyCertificateAtClient: - description: |- - `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation - at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination - modes are used. This setting can be overridden at the host level via DestinationRule API. - By default, `VerifyCertificateAtClient` is `true`. - - `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset, - and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and - `VerifyCertificateAtClient` is false, proxy will not verify the CA. - - `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset, - and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs. - If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs. - - For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level - wildcard if the specified host in DestinationRule doesn't contain a wildcard. - For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will - match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate. - For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, - if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches - “.x.y.com` suffix. - - Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. - type: boolean - type: object - pilot: - description: Configuration for the Pilot component. - properties: - affinity: - description: K8s affinity to set on the Pilot Pods. - properties: - nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node matches the corresponding matchExpressions; the - node(s) with the highest sum are the most preferred. - items: - description: |- - An empty preferred scheduling term matches all objects with implicit weight 0 - (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated - with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in the - range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. - items: - description: |- - A null or empty node selector term matches no objects. The requirements of - them are ANDed. - The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements - by node's labels. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchFields: - description: A list of node selector requirements - by node's fields. - items: - description: |- - A node selector requirement is a selector that contains values, a key, and an operator - that relates the key and values. - properties: - key: - description: The label key that the - selector applies to. - type: string - operator: - description: |- - Represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: |- - An array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. If the operator is Gt or Lt, the values - array must have a single element, which will be interpreted as an integer. - This array is replaced during a strategic merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - type: object - x-kubernetes-map-type: atomic - type: array - x-kubernetes-list-type: atomic - required: - - nodeSelectorTerms - type: object - x-kubernetes-map-type: atomic - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, - etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: |- - The scheduler will prefer to schedule pods to nodes that satisfy - the anti-affinity expressions specified by this field, but it may choose - a node that violates one or more of the expressions. The node that is - most preferred is the one with the greatest sum of weights, i.e. - for each node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, etc.), - compute a sum by iterating through the elements of this field and adding - "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: |- - weight associated with matching the corresponding podAffinityTerm, - in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - x-kubernetes-list-type: atomic - requiredDuringSchedulingIgnoredDuringExecution: - description: |- - If the anti-affinity requirements specified by this field are not met at - scheduling time, the pod will not be scheduled onto the node. - If the anti-affinity requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod label update), the - system may or may not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes corresponding to each - podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: |- - Defines a set of pods (namely those matching the labelSelector - relative to the given namespace(s)) that this pod should be - co-located (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node whose value of - the label with key matches that of any node on which - a pod of the set of pods is running - properties: - labelSelector: - description: |- - A label query over a set of resources, in this case pods. - If it's null, this PodAffinityTerm matches with no Pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both matchLabelKeys and labelSelector. - Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - mismatchLabelKeys: - description: |- - MismatchLabelKeys is a set of pod label keys to select which pods will - be taken into consideration. The keys are used to lookup values from the - incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` - to select the group of existing pods which pods will be taken into consideration - for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming - pod labels will be ignored. The default value is empty. - The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. - Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - namespaceSelector: - description: |- - A label query over the set of namespaces that the term applies to. - The term is applied to the union of the namespaces selected by this field - and the ones listed in the namespaces field. - null selector and null or empty namespaces list means "this pod's namespace". - An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: |- - namespaces specifies a static list of namespace names that the term applies to. - The term is applied to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. - null or empty namespaces list and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - x-kubernetes-list-type: atomic - topologyKey: - description: |- - This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where co-located is defined as running on a node - whose value of the label with key topologyKey matches that of any node on which any of the - selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - autoscaleBehavior: - description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior - properties: - scaleDown: - description: |- - scaleDown is scaling policy for scaling Down. - If not set, the default value is to allow to scale down to minReplicas pods, with a - 300 second stabilization window (i.e., the highest recommendation for - the last 300sec is used). - properties: - policies: - description: |- - policies is a list of potential scaling polices which can be used during scaling. - At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy - which must hold true for a specified past interval. - properties: - periodSeconds: - description: |- - periodSeconds specifies the window of time for which the policy should hold true. - PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: type is used to specify the scaling - policy. - type: string - value: - description: |- - value contains the amount of change which is permitted by the policy. - It must be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - x-kubernetes-list-type: atomic - selectPolicy: - description: |- - selectPolicy is used to specify which policy should be used. - If not set, the default value Max is used. - type: string - stabilizationWindowSeconds: - description: |- - stabilizationWindowSeconds is the number of seconds for which past recommendations should be - considered while scaling up or scaling down. - StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). - If not set, use the default values: - - For scale up: 0 (i.e. no stabilization is done). - - For scale down: 300 (i.e. the stabilization window is 300 seconds long). - format: int32 - type: integer - type: object - scaleUp: - description: |- - scaleUp is scaling policy for scaling Up. - If not set, the default value is the higher of: - * increase no more than 4 pods per 60 seconds - * double the number of pods per 60 seconds - No stabilization is used. - properties: - policies: - description: |- - policies is a list of potential scaling polices which can be used during scaling. - At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid - items: - description: HPAScalingPolicy is a single policy - which must hold true for a specified past interval. - properties: - periodSeconds: - description: |- - periodSeconds specifies the window of time for which the policy should hold true. - PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). - format: int32 - type: integer - type: - description: type is used to specify the scaling - policy. - type: string - value: - description: |- - value contains the amount of change which is permitted by the policy. - It must be greater than zero - format: int32 - type: integer - required: - - periodSeconds - - type - - value - type: object - type: array - x-kubernetes-list-type: atomic - selectPolicy: - description: |- - selectPolicy is used to specify which policy should be used. - If not set, the default value Max is used. - type: string - stabilizationWindowSeconds: - description: |- - stabilizationWindowSeconds is the number of seconds for which past recommendations should be - considered while scaling up or scaling down. - StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). - If not set, use the default values: - - For scale up: 0 (i.e. no stabilization is done). - - For scale down: 300 (i.e. the stabilization window is 300 seconds long). - format: int32 - type: integer - type: object - type: object - autoscaleEnabled: - description: Controls whether a HorizontalPodAutoscaler is - installed for Pilot. - type: boolean - autoscaleMax: - description: Maximum number of replicas in the HorizontalPodAutoscaler - for Pilot. - format: int32 - type: integer - autoscaleMin: - description: Minimum number of replicas in the HorizontalPodAutoscaler - for Pilot. - format: int32 - type: integer - cni: - description: Configures whether to use an existing CNI installation - for workloads - properties: - enabled: - description: Controls whether CNI should be used. - type: boolean - provider: - description: |- - Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation - `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition - type: string - type: object - configMap: - description: |- - Configuration settings passed to Pilot as a ConfigMap. - - This controls whether the mesh config map, generated from values.yaml is generated. - If false, pilot wil use default values or user-supplied values, in that order of preference. - type: boolean - cpu: - description: |- - Target CPU utilization used in HorizontalPodAutoscaler. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - targetAverageUtilization: - description: |- - K8s utilization setting for HorizontalPodAutoscaler target. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - format: int32 - type: integer - type: object - deploymentLabels: - additionalProperties: - type: string - description: |- - Labels that are added to Pilot deployment. - - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - enabled: - description: Controls whether Pilot is enabled. - type: boolean - env: - additionalProperties: - type: string - description: "Environment variables passed to the Pilot container.\n\nExamples:\nenv:\n\n\tENV_VAR_1: - value1\n\tENV_VAR_2: value2" - type: object - extraContainerArgs: - description: Additional container arguments for the Pilot - container. - items: - type: string - type: array - hub: - description: Hub to pull the container image from. Image will - be `Hub/Image:Tag-Variant`. - type: string - image: - description: |- - Image name used for Pilot. - - This can be set either to image name if hub is also set, or can be set to the full hub:name string. - - Examples: custom-pilot, docker.io/someuser:custom-pilot - type: string - ipFamilies: - description: |- - Defines which IP family to use for single stack or the order of IP families for dual-stack. - Valid list items are "IPv4", "IPv6". - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - items: - type: string - type: array - ipFamilyPolicy: - description: |- - Controls whether Services are configured to use IPv4, IPv6, or both. Valid options - are PreferDualStack, RequireDualStack, and SingleStack. - More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - type: string - istiodRemote: - description: Configuration for the istio-discovery chart when - istiod is running in a remote cluster (e.g. "remote control - plane"). - properties: - enabled: - description: Indicates if this cluster/install should - consume a "remote" istiod instance, - type: boolean - injectionCABundle: - description: injector ca bundle - type: string - injectionPath: - description: Path to use for the sidecar injector webhook - service. - type: string - injectionURL: - description: URL to use for sidecar injector webhook. - type: string - type: object - jwksResolverExtraRootCA: - description: |- - Specifies an extra root certificate in PEM format. This certificate will be trusted - by pilot when resolving JWKS URIs. - type: string - keepaliveMaxServerConnectionAge: - description: |- - Maximum duration that a sidecar can be connected to a pilot. - - This setting balances out load across pilot instances, but adds some resource overhead. - - Examples: 300s, 30m, 1h - type: string - memory: - description: |- - Target memory utilization used in HorizontalPodAutoscaler. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - targetAverageUtilization: - description: |- - K8s utilization setting for HorizontalPodAutoscaler target. - - See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - format: int32 - type: integer - type: object - nodeSelector: - additionalProperties: - type: string - description: |- - K8s node selector. - - See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: object - podAnnotations: - additionalProperties: - type: string - description: |- - K8s annotations for pods. - - See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - type: object - podLabels: - additionalProperties: - type: string - description: |- - Labels that are added to Pilot pods. - - See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - type: object - replicaCount: - description: |- - Number of replicas in the Pilot Deployment. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - format: int32 - type: integer - resources: - description: |- - K8s resources settings. - - See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - rollingMaxSurge: - anyOf: - - type: integer - - type: string - description: |- - K8s rolling update strategy - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - x-kubernetes-int-or-string: true - rollingMaxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The number of pods that can be unavailable during a rolling update (see - `strategy.rollingUpdate.maxUnavailable` here: - https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). - May be specified as a number of pods or as a percent of the total number - of pods at the start of the update. - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - x-kubernetes-int-or-string: true - seccompProfile: - description: |- - The seccompProfile for the Pilot container. - - See: https://kubernetes.io/docs/tutorials/security/seccomp/ - properties: - localhostProfile: - description: |- - localhostProfile indicates a profile defined in a file on the node should be used. - The profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's configured seccomp profile location. - Must be set if type is "Localhost". Must NOT be set for any other type. - type: string - type: - description: |- - type indicates which kind of seccomp profile will be applied. - Valid options are: - - Localhost - a profile defined in a file on the node should be used. - RuntimeDefault - the container runtime default profile should be used. - Unconfined - no profile should be applied. - type: string - required: - - type - type: object - serviceAccountAnnotations: - additionalProperties: - type: string - description: K8s annotations for the service account - type: object - serviceAnnotations: - additionalProperties: - type: string - description: |- - K8s annotations for the Service. - - See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - type: object - tag: - description: The container image tag to pull. Image will be - `Hub/Image:Tag-Variant`. - type: string - taint: - properties: - enabled: - description: |- - Enable the untaint controller for new nodes. This aims to solve a race for CNI installation on - new nodes. For this to work, the newly added nodes need to have the istio CNI taint as they are - added to the cluster. This is usually done by configuring the cluster infra provider. - type: boolean - namespace: - description: The namespace of the CNI daemonset, incase - it's not the same as istiod. - type: string - type: object - tolerations: - description: |- - The node tolerations to be applied to the Pilot deployment so that it can be - scheduled to particular nodes with matching taints. - More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - - Deprecated: Marked as deprecated in pkg/apis/values_types.proto. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: The k8s topologySpreadConstraints for the Pilot - pods. - items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. - properties: - labelSelector: - description: |- - LabelSelector is used to find matching pods. - Pods that match this label selector are counted to determine the number of pods - in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - matchLabelKeys: - description: |- - MatchLabelKeys is a set of pod label keys to select the pods over which - spreading will be calculated. The keys are used to lookup values from the - incoming pod labels, those key-value labels are ANDed with labelSelector - to select the group of existing pods over which spreading will be calculated - for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. - MatchLabelKeys cannot be set when LabelSelector isn't set. - Keys that don't exist in the incoming pod labels will - be ignored. A null or empty list means only match against labelSelector. - - This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). - items: - type: string - type: array - x-kubernetes-list-type: atomic - maxSkew: - description: |- - MaxSkew describes the degree to which pods may be unevenly distributed. - When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference - between the number of matching pods in the target topology and the global minimum. - The global minimum is the minimum number of matching pods in an eligible domain - or zero if the number of eligible domains is less than MinDomains. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 2/2/1: - In this case, the global minimum is 1. - | zone1 | zone2 | zone3 | - | P P | P P | P | - - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; - scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) - violate MaxSkew(1). - - if MaxSkew is 2, incoming pod can be scheduled onto any zone. - When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence - to topologies that satisfy it. - It's a required field. Default value is 1 and 0 is not allowed. - format: int32 - type: integer - minDomains: - description: |- - MinDomains indicates a minimum number of eligible domains. - When the number of eligible domains with matching topology keys is less than minDomains, - Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. - And when the number of eligible domains with matching topology keys equals or greater than minDomains, - this value has no effect on scheduling. - As a result, when the number of eligible domains is less than minDomains, - scheduler won't schedule more than maxSkew Pods to those domains. - If value is nil, the constraint behaves as if MinDomains is equal to 1. - Valid values are integers greater than 0. - When value is not nil, WhenUnsatisfiable must be DoNotSchedule. - - For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same - labelSelector spread as 2/2/2: - | zone1 | zone2 | zone3 | - | P P | P P | P P | - The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. - In this situation, new pod with the same labelSelector cannot be scheduled, - because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, - it will violate MaxSkew. - format: int32 - type: integer - nodeAffinityPolicy: - description: |- - NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector - when calculating pod topology spread skew. Options are: - - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. - - If this value is nil, the behavior is equivalent to the Honor policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - nodeTaintsPolicy: - description: |- - NodeTaintsPolicy indicates how we will treat node taints when calculating - pod topology spread skew. Options are: - - Honor: nodes without taints, along with tainted nodes for which the incoming pod - has a toleration, are included. - - Ignore: node taints are ignored. All nodes are included. - - If this value is nil, the behavior is equivalent to the Ignore policy. - This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. - type: string - topologyKey: - description: |- - TopologyKey is the key of node labels. Nodes that have a label with this key - and identical values are considered to be in the same topology. - We consider each as a "bucket", and try to put balanced number - of pods into each bucket. - We define a domain as a particular instance of a topology. - Also, we define an eligible domain as a domain whose nodes meet the requirements of - nodeAffinityPolicy and nodeTaintsPolicy. - e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. - And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. - It's a required field. - type: string - whenUnsatisfiable: - description: |- - WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy - the spread constraint. - - DoNotSchedule (default) tells the scheduler not to schedule it. - - ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. - A constraint is considered "Unsatisfiable" for an incoming pod - if and only if every possible node assignment for that pod would violate - "MaxSkew" on some topology. - For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: - | zone1 | zone2 | zone3 | - | P P P | P | P | - If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled - to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler - won't make it *more* imbalanced. - It's a required field. - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - traceSampling: - description: |- - Trace sampling fraction. - - Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. - - Allowed values: 0.0 to 1.0 - type: number - trustedZtunnelNamespace: - description: |- - If set, `istiod` will allow connections from trusted node proxy ztunnels - in the provided namespace. - type: string - variant: - description: The container image variant to pull. Options - are "debug" or "distroless". Unset will use the default - for the given version. - type: string - volumeMounts: - description: Additional volumeMounts to add to the Pilot container. - items: - description: VolumeMount describes a mounting of a Volume - within a container. - properties: - mountPath: - description: |- - Path within the container at which the volume should be mounted. Must - not contain ':'. - type: string - mountPropagation: - description: |- - mountPropagation determines how mounts are propagated from the host - to container and the other way around. - When not set, MountPropagationNone is used. - This field is beta in 1.10. - When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified - (which defaults to None). - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: |- - Mounted read-only if true, read-write otherwise (false or unspecified). - Defaults to false. - type: boolean - recursiveReadOnly: - description: |- - RecursiveReadOnly specifies whether read-only mounts should be handled - recursively. - - If ReadOnly is false, this field has no meaning and must be unspecified. - - If ReadOnly is true, and this field is set to Disabled, the mount is not made - recursively read-only. If this field is set to IfPossible, the mount is made - recursively read-only, if it is supported by the container runtime. If this - field is set to Enabled, the mount is made recursively read-only if it is - supported by the container runtime, otherwise the pod will not be started and - an error will be generated to indicate the reason. - - If this field is set to IfPossible or Enabled, MountPropagation must be set to - None (or be unspecified, which defaults to None). - - If this field is not specified, it is treated as an equivalent of Disabled. - type: string - subPath: - description: |- - Path within the volume from which the container's volume should be mounted. - Defaults to "" (volume's root). - type: string - subPathExpr: - description: |- - Expanded path within the volume from which the container's volume should be mounted. - Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. - Defaults to "" (volume's root). - SubPathExpr and SubPath are mutually exclusive. - type: string - required: - - mountPath - - name - type: object - type: array - volumes: - description: Additional volumes to add to the Pilot Pod. - items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: |- - awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - format: int32 - type: integer - readOnly: - description: |- - readOnly value true will force the readOnly setting in VolumeMounts. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: boolean - volumeID: - description: |- - volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - type: string - required: - - volumeID - type: object - azureDisk: - description: azureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. - properties: - cachingMode: - description: 'cachingMode is the Host Caching mode: - None, Read Only, Read Write.' - type: string - diskName: - description: diskName is the Name of the data disk - in the blob storage - type: string - diskURI: - description: diskURI is the URI of data disk in - the blob storage - type: string - fsType: - default: ext4 - description: |- - fsType is Filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'kind expected values are Shared: multiple - blob disks per storage account Dedicated: single - blob disk per storage account Managed: azure - managed data disk (only in managed availability - set). defaults to shared' - type: string - readOnly: - default: false - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: azureFile represents an Azure File Service - mount on the host and bind mount to the pod. - properties: - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: secretName is the name of secret that - contains Azure Storage Account Name and Key - type: string - shareName: - description: shareName is the azure share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: cephFS represents a Ceph FS mount on the - host that shares a pod's lifetime - properties: - monitors: - description: |- - monitors is Required: Monitors is a collection of Ceph monitors - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - path: - description: 'path is Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' - type: string - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: boolean - secretFile: - description: |- - secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - secretRef: - description: |- - secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - description: |- - user is optional: User is the rados user name, default is admin - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it - type: string - required: - - monitors - type: object - cinder: - description: |- - cinder represents a cinder volume attached and mounted on kubelets host machine. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: boolean - secretRef: - description: |- - secretRef is optional: points to a secret object containing parameters used to connect - to OpenStack. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeID: - description: |- - volumeID used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md - type: string - required: - - volumeID - type: object - configMap: - description: configMap represents a configMap that should - populate this volume - properties: - defaultMode: - description: |- - defaultMode is optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether the ConfigMap - or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - csi: - description: csi (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). - properties: - driver: - description: |- - driver is the name of the CSI driver that handles this volume. - Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: |- - fsType to mount. Ex. "ext4", "xfs", "ntfs". - If not provided, the empty value is passed to the associated CSI driver - which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: |- - nodePublishSecretRef is a reference to the secret object containing - sensitive information to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no secret is required. If the - secret object contains more than one secret, all secret references are passed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - readOnly: - description: |- - readOnly specifies a read-only configuration for the volume. - Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: |- - volumeAttributes stores driver-specific properties that are passed to the CSI - driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: downwardAPI represents downward API about - the pod that should populate this volume - properties: - defaultMode: - description: |- - Optional: mode bits to use on created files by default. Must be a - Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: Items is a list of downward API volume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field - properties: - fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name, - namespace and uid are supported.' - properties: - apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". - type: string - fieldPath: - description: Path of the field to select - in the specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: required - for volumes, optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - emptyDir: - description: |- - emptyDir represents a temporary directory that shares a pod's lifetime. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - properties: - medium: - description: |- - medium represents what type of storage medium should back this directory. - The default is "" which means to use the node's default medium. - Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - description: |- - sizeLimit is the total amount of local storage required for this EmptyDir volume. - The size limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir would be the minimum value between - the SizeLimit specified here and the sum of memory limits of all containers in a pod. - The default is nil which means that the limit is undefined. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - description: |- - ephemeral represents a volume that is handled by a cluster storage driver. - The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, - and deleted when the pod is removed. - - Use this if: - a) the volume is only needed while the pod runs, - b) features of normal volumes like restoring from snapshot or capacity - tracking are needed, - c) the storage driver is specified through a storage class, and - d) the storage driver supports dynamic volume provisioning through - a PersistentVolumeClaim (see EphemeralVolumeSource for more - information on the connection between this volume type - and PersistentVolumeClaim). - - Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the lifecycle - of an individual pod. - - Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to - be used that way - see the documentation of the driver for - more information. - - A pod can use both types of ephemeral volumes and - persistent volumes at the same time. - properties: - volumeClaimTemplate: - description: |- - Will be used to create a stand-alone PVC to provision the volume. - The pod in which this EphemeralVolumeSource is embedded will be the - owner of the PVC, i.e. the PVC will be deleted together with the - pod. The name of the PVC will be `-` where - `` is the name from the `PodSpec.Volumes` array - entry. Pod validation will reject the pod if the concatenated name - is not valid for a PVC (for example, too long). - - An existing PVC with that name that is not owned by the pod - will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC is - meant to be used by the pod, the PVC has to updated with an - owner reference to the pod once the pod exists. Normally - this should not be necessary, but it may be useful when - manually reconstructing a broken cluster. - - This field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. - - Required, must not be nil. - properties: - metadata: - description: |- - May contain labels and annotations that will be copied into the PVC - when creating it. No other fields are allowed and will be rejected during - validation. - type: object - spec: - description: |- - The specification for the PersistentVolumeClaim. The entire content is - copied unchanged into the PVC that gets created from this - template. The same fields as in a PersistentVolumeClaim - are also valid here. - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource - being referenced - type: string - name: - description: Name is the name of resource - being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over - volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference - to the PersistentVolume backing this claim. - type: string - type: object - required: - - spec - type: object - type: object - fc: - description: fc represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - lun: - description: 'lun is Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: |- - readOnly is Optional: Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - targetWWNs: - description: 'targetWWNs is Optional: FC target - worldwide names (WWNs)' - items: - type: string - type: array - x-kubernetes-list-type: atomic - wwids: - description: |- - wwids Optional: FC volume world wide identifiers (wwids) - Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - flexVolume: - description: |- - flexVolume represents a generic volume resource that is - provisioned/attached using an exec based plugin. - properties: - driver: - description: driver is the name of the driver to - use for this volume. - type: string - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'options is Optional: this field holds - extra command options if any.' - type: object - readOnly: - description: |- - readOnly is Optional: defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef is Optional: secretRef is reference to the secret object containing - sensitive information to pass to the plugin scripts. This may be - empty if no secret object is specified. If the secret object - contains more than one secret, all secrets are passed to the plugin - scripts. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - driver - type: object - flocker: - description: flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running - properties: - datasetName: - description: |- - datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker - should be considered as deprecated - type: string - datasetUUID: - description: datasetUUID is the UUID of the dataset. - This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: |- - gcePersistentDisk represents a GCE Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - properties: - fsType: - description: |- - fsType is filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - partition: - description: |- - partition is the partition in the volume that you want to mount. - If omitted, the default is to mount by volume name. - Examples: For volume /dev/sda1, you specify the partition as "1". - Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - format: int32 - type: integer - pdName: - description: |- - pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - type: boolean - required: - - pdName - type: object - gitRepo: - description: |- - gitRepo represents a git repository at a particular revision. - DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir - into the Pod's container. - properties: - directory: - description: |- - directory is the target directory name. - Must not contain or start with '..'. If '.' is supplied, the volume directory will be the - git repository. Otherwise, if specified, the volume will contain the git repository in - the subdirectory with the given name. - type: string - repository: - description: repository is the URL - type: string - revision: - description: revision is the commit hash for the - specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: |- - glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/glusterfs/README.md - properties: - endpoints: - description: |- - endpoints is the endpoint name that details Glusterfs topology. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - path: - description: |- - path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: string - readOnly: - description: |- - readOnly here will force the Glusterfs volume to be mounted with read-only permissions. - Defaults to false. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: |- - hostPath represents a pre-existing file or directory on the host - machine that is directly exposed to the container. This is generally - used for system agents or other privileged things that are allowed - to see the host machine. Most containers will NOT need this. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - properties: - path: - description: |- - path of the directory on the host. - If the path is a symlink, it will follow the link to the real path. - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - type: - description: |- - type for HostPath Volume - Defaults to "" - More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - type: string - required: - - path - type: object - image: - description: |- - image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. - The volume is resolved at pod startup depending on which PullPolicy value is provided: - - - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - - The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. - A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. - The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. - The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. - The volume will be mounted read-only (ro) and non-executable files (noexec). - Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). - The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. - properties: - pullPolicy: - description: |- - Policy for pulling OCI objects. Possible values are: - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. - Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - type: string - reference: - description: |- - Required: Image or artifact reference to be used. - Behaves in the same way as pod.spec.containers[*].image. - Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. - More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config management to default or override - container images in workload controllers like Deployments and StatefulSets. - type: string - type: object - iscsi: - description: |- - iscsi represents an ISCSI Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. - More info: https://examples.k8s.io/volumes/iscsi/README.md - properties: - chapAuthDiscovery: - description: chapAuthDiscovery defines whether support - iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: chapAuthSession defines whether support - iSCSI Session CHAP authentication - type: boolean - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - type: string - initiatorName: - description: |- - initiatorName is the custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface - : will be created for the connection. - type: string - iqn: - description: iqn is the target iSCSI Qualified Name. - type: string - iscsiInterface: - default: default - description: |- - iscsiInterface is the interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). - type: string - lun: - description: lun represents iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: |- - portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - x-kubernetes-list-type: atomic - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - type: boolean - secretRef: - description: secretRef is the CHAP Secret for iSCSI - target and initiator authentication - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - targetPortal: - description: |- - targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port - is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: |- - name of the volume. - Must be a DNS_LABEL and unique within the pod. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - nfs: - description: |- - nfs represents an NFS mount on the host that shares a pod's lifetime - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - properties: - path: - description: |- - path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - readOnly: - description: |- - readOnly here will force the NFS export to be mounted with read-only permissions. - Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: boolean - server: - description: |- - server is the hostname or IP address of the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: |- - persistentVolumeClaimVolumeSource represents a reference to a - PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - claimName: - description: |- - claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - type: string - readOnly: - description: |- - readOnly Will force the ReadOnly setting in VolumeMounts. - Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: pdID is the ID that identifies Photon - Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: portworxVolume represents a portworx volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: volumeID uniquely identifies a Portworx - volume - type: string - required: - - volumeID - type: object - projected: - description: projected items for all in one resources - secrets, configmaps, and downward API - properties: - defaultMode: - description: |- - defaultMode are the mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: |- - sources is the list of volume projections. Each entry in this list - handles one source. - items: - description: |- - Projection that may be projected along with other supported volume types. - Exactly one of these fields must be set. - properties: - clusterTrustBundle: - description: |- - ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field - of ClusterTrustBundle objects in an auto-updating file. - - Alpha, gated by the ClusterTrustBundleProjection feature gate. - - ClusterTrustBundle objects can either be selected by name, or by the - combination of signer name and a label selector. - - Kubelet performs aggressive normalization of the PEM contents written - into the pod filesystem. Esoteric PEM features such as inter-block - comments and block headers are stripped. Certificates are deduplicated. - The ordering of certificates within the file is arbitrary, and Kubelet - may change the order over time. - properties: - labelSelector: - description: |- - Select all ClusterTrustBundles that match this label selector. Only has - effect if signerName is set. Mutually-exclusive with name. If unset, - interpreted as "match nothing". If set but empty, interpreted as "match - everything". - properties: - matchExpressions: - description: matchExpressions is a - list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label - key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - name: - description: |- - Select a single ClusterTrustBundle by object name. Mutually-exclusive - with signerName and labelSelector. - type: string - optional: - description: |- - If true, don't block pod startup if the referenced ClusterTrustBundle(s) - aren't available. If using name, then the named ClusterTrustBundle is - allowed not to exist. If using signerName, then the combination of - signerName and labelSelector is allowed to match zero - ClusterTrustBundles. - type: boolean - path: - description: Relative path from the volume - root to write the bundle. - type: string - signerName: - description: |- - Select all ClusterTrustBundles that match this signer name. - Mutually-exclusive with name. The contents of all selected - ClusterTrustBundles will be unified and deduplicated. - type: string - required: - - path - type: object - configMap: - description: configMap information about the - configMap data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - ConfigMap will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the ConfigMap, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional specify whether - the ConfigMap or its keys must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - downwardAPI: - description: downwardAPI information about - the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume - file - items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field - properties: - fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name, namespace and uid - are supported.' - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - mode: - description: |- - Optional: mode bits used to set permissions on this file, must be an octal value - between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' - type: string - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - required: - - path - type: object - type: array - x-kubernetes-list-type: atomic - type: object - secret: - description: secret information about the - secret data to project - properties: - items: - description: |- - items if unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a - path within a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: optional field specify whether - the Secret or its key must be defined - type: boolean - type: object - x-kubernetes-map-type: atomic - serviceAccountToken: - description: serviceAccountToken is information - about the serviceAccountToken data to project - properties: - audience: - description: |- - audience is the intended audience of the token. A recipient of a token - must identify itself with an identifier specified in the audience of the - token, and otherwise should reject the token. The audience defaults to the - identifier of the apiserver. - type: string - expirationSeconds: - description: |- - expirationSeconds is the requested duration of validity of the service - account token. As the token approaches expiration, the kubelet volume - plugin will proactively rotate the service account token. The kubelet will - start trying to rotate the token if the token is older than 80 percent of - its time to live or if the token is older than 24 hours.Defaults to 1 hour - and must be at least 10 minutes. - format: int64 - type: integer - path: - description: |- - path is the path relative to the mount point of the file to project the - token into. - type: string - required: - - path - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - quobyte: - description: quobyte represents a Quobyte mount on the - host that shares a pod's lifetime - properties: - group: - description: |- - group to map volume access to - Default is no group - type: string - readOnly: - description: |- - readOnly here will force the Quobyte volume to be mounted with read-only permissions. - Defaults to false. - type: boolean - registry: - description: |- - registry represents a single or multiple Quobyte Registry services - specified as a string as host:port pair (multiple entries are separated with commas) - which acts as the central registry for volumes - type: string - tenant: - description: |- - tenant owning the given Quobyte volume in the Backend - Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: |- - user to map volume access to - Defaults to serivceaccount user - type: string - volume: - description: volume is a string that references - an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: |- - rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. - More info: https://examples.k8s.io/volumes/rbd/README.md - properties: - fsType: - description: |- - fsType is the filesystem type of the volume that you want to mount. - Tip: Ensure that the filesystem type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - type: string - image: - description: |- - image is the rados image name. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - keyring: - default: /etc/ceph/keyring - description: |- - keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - monitors: - description: |- - monitors is a collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - items: - type: string - type: array - x-kubernetes-list-type: atomic - pool: - default: rbd - description: |- - pool is the rados pool name. - Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - readOnly: - description: |- - readOnly here will force the ReadOnly setting in VolumeMounts. - Defaults to false. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: boolean - secretRef: - description: |- - secretRef is name of the authentication secret for RBDUser. If provided - overrides keyring. - Default is nil. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - user: - default: admin - description: |- - user is the rados user name. - Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it - type: string - required: - - image - - monitors - type: object - scaleIO: - description: scaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. - properties: - fsType: - default: xfs - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". - Default is "xfs". - type: string - gateway: - description: gateway is the host address of the - ScaleIO API Gateway. - type: string - protectionDomain: - description: protectionDomain is the name of the - ScaleIO Protection Domain for the configured storage. - type: string - readOnly: - description: |- - readOnly Defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef references to the secret for ScaleIO user and other - sensitive information. If this is not provided, Login operation will fail. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - sslEnabled: - description: sslEnabled Flag enable/disable SSL - communication with Gateway, default false - type: boolean - storageMode: - default: ThinProvisioned - description: |- - storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. - type: string - storagePool: - description: storagePool is the ScaleIO Storage - Pool associated with the protection domain. - type: string - system: - description: system is the name of the storage system - as configured in ScaleIO. - type: string - volumeName: - description: |- - volumeName is the name of a volume already created in the ScaleIO system - that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: |- - secret represents a secret that should populate this volume. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - properties: - defaultMode: - description: |- - defaultMode is Optional: mode bits used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values - for mode bits. Defaults to 0644. - Directories within the path are not affected by this setting. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - items: - description: |- - items If unspecified, each key-value pair in the Data field of the referenced - Secret will be projected into the volume as a file whose name is the - key and content is the value. If specified, the listed keys will be - projected into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in the Secret, - the volume setup will error unless it is marked optional. Paths must be - relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within - a volume. - properties: - key: - description: key is the key to project. - type: string - mode: - description: |- - mode is Optional: mode bits used to set permissions on this file. - Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. - If not specified, the volume defaultMode will be used. - This might be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - path: - description: |- - path is the relative path of the file to map the key to. - May not be an absolute path. - May not contain the path element '..'. - May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - x-kubernetes-list-type: atomic - optional: - description: optional field specify whether the - Secret or its keys must be defined - type: boolean - secretName: - description: |- - secretName is the name of the secret in the pod's namespace to use. - More info: https://kubernetes.io/docs/concepts/storage/volumes#secret - type: string - type: object - storageos: - description: storageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. - properties: - fsType: - description: |- - fsType is the filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: |- - readOnly defaults to false (read/write). ReadOnly here will force - the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: |- - secretRef specifies the secret to use for obtaining the StorageOS API - credentials. If not specified, default values will be attempted. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - volumeName: - description: |- - volumeName is the human-readable name of the StorageOS volume. Volume - names are only unique within a namespace. - type: string - volumeNamespace: - description: |- - volumeNamespace specifies the scope of the volume within StorageOS. If no - namespace is specified then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default behaviour. - Set to "default" if you are not using namespaces within StorageOS. - Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: vsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine - properties: - fsType: - description: |- - fsType is filesystem type to mount. - Must be a filesystem type supported by the host operating system. - Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: storagePolicyID is the storage Policy - Based Management (SPBM) profile ID associated - with the StoragePolicyName. - type: string - storagePolicyName: - description: storagePolicyName is the storage Policy - Based Management (SPBM) profile name. - type: string - volumePath: - description: volumePath is the path that identifies - vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - type: object - profile: - description: Specifies which installation configuration profile - to apply. - type: string - revision: - description: Identifies the revision this installation is associated - with. - type: string - revisionTags: - description: |- - Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration - is created for each alias. - items: - type: string - type: array - sidecarInjectorWebhook: - description: Configuration for the sidecar injector webhook. - properties: - alwaysInjectSelector: - description: See NeverInjectSelector. - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - defaultTemplates: - description: 'defaultTemplates: ["sidecar", "hello"]' - items: - type: string - type: array - enableNamespacesByDefault: - description: Enables sidecar auto-injection in namespaces - by default. - type: boolean - injectedAnnotations: - additionalProperties: - type: string - description: |- - injectedAnnotations are additional annotations that will be added to the pod spec after injection - This is primarily to support PSP annotations. - type: object - injectionURL: - description: Configure the injection url for sidecar injector - webhook - type: string - neverInjectSelector: - description: |- - Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods. - - Annotations in the pods have higher precedence than the label selectors. - Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy. - See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - items: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: array - reinvocationPolicy: - description: 'Setting this to `IfNeeded` will result in the - sidecar injector being run again if additional mutations - occur. Default: Never' - type: string - rewriteAppHTTPProbe: - description: If true, webhook or istioctl injector will rewrite - PodSpec for liveness health check to redirect request to - sidecar. This makes liveness check work even when mTLS is - enabled. - type: boolean - templates: - additionalProperties: - type: string - description: "Templates defines a set of custom injection - templates that can be used. For example, defining:\n\ntemplates:\n\n\thello: - |\n\t metadata:\n\t labels:\n\t hello: world\n\nThen - starting a pod with the `inject.istio.io/templates: hello` - annotation, will result in the pod\nbeing injected with - the hello=world labels.\nThis is intended for advanced configuration - only; most users should use the built in template" - type: object - type: object - telemetry: - description: Controls whether telemetry is exported for Pilot. - properties: - enabled: - description: Controls whether telemetry is exported for Pilot. - type: boolean - v2: - description: Configuration for Telemetry v2. - properties: - enabled: - description: Controls whether pilot will configure telemetry - v2. - type: boolean - prometheus: - description: Telemetry v2 settings for prometheus. - properties: - enabled: - description: Controls whether stats envoyfilter would - be enabled or not. - type: boolean - type: object - stackdriver: - description: Telemetry v2 settings for stackdriver. - properties: - enabled: - type: boolean - type: object - type: object - type: object - type: object - version: - default: v1.23.2 - description: |- - Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. - enum: - - v1.23.2 - - v1.22.5 - - v1.21.6 - - latest - type: string - required: - - namespace - - version - type: object - x-kubernetes-validations: - - message: spec.values.global.istioNamespace must match spec.namespace - rule: '!has(self.values) || !has(self.values.global) || !has(self.values.global.istioNamespace) - || self.values.global.istioNamespace == self.__namespace__' - status: - description: RemoteIstioStatus defines the observed state of RemoteIstio - properties: - activeRevisionName: - description: The name of the active revision. - type: string - conditions: - description: Represents the latest available observations of the object's - current state. - items: - description: RemoteIstioCondition represents a specific observation - of the RemoteIstioCondition object's state. - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - the last transition. - type: string - reason: - description: Unique, single-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: The status of this condition. Can be True, False - or Unknown. - type: string - type: - description: The type of this condition. - type: string - type: object - type: array - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this - RemoteIstio object. It corresponds to the object's generation, which is - updated on mutation by the API Server. The information in the status - pertains to this particular generation of the object. - format: int64 - type: integer - revisions: - description: Reports information about the underlying IstioRevisions. - properties: - inUse: - description: Number of IstioRevisions that are currently in use. - format: int32 - type: integer - ready: - description: Number of IstioRevisions that are Ready. - format: int32 - type: integer - total: - description: Total number of IstioRevisions currently associated - with this Istio. - format: int32 - type: integer - required: - - inUse - - ready - - total - type: object - state: - description: Reports the current state of the object. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/chart/samples/remoteistio-sample.yaml b/chart/samples/remoteistio-sample.yaml deleted file mode 100644 index 66407f939..000000000 --- a/chart/samples/remoteistio-sample.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: RemoteIstio -metadata: - name: default -spec: - version: latest - namespace: istio-system - updateStrategy: - type: InPlace - inactiveRevisionDeletionGracePeriodSeconds: 30 - values: - istiodRemote: - injectionPath: /inject/cluster/cluster2/net/network1 - global: - remotePilotAddress: 1.2.3.4 \ No newline at end of file diff --git a/cmd/main.go b/cmd/main.go index d713a8131..1d8b4cac2 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -23,7 +23,6 @@ import ( "github.com/istio-ecosystem/sail-operator/controllers/istio" "github.com/istio-ecosystem/sail-operator/controllers/istiocni" "github.com/istio-ecosystem/sail-operator/controllers/istiorevision" - "github.com/istio-ecosystem/sail-operator/controllers/remoteistio" "github.com/istio-ecosystem/sail-operator/controllers/webhook" "github.com/istio-ecosystem/sail-operator/pkg/config" "github.com/istio-ecosystem/sail-operator/pkg/enqueuelogger" @@ -144,13 +143,6 @@ func main() { os.Exit(1) } - err = remoteistio.NewReconciler(reconcilerCfg, mgr.GetClient(), mgr.GetScheme()). - SetupWithManager(mgr) - if err != nil { - setupLog.Error(err, "unable to create controller", "controller", "RemoteIstio") - os.Exit(1) - } - err = istiorevision.NewReconciler(reconcilerCfg, mgr.GetClient(), mgr.GetScheme(), chartManager). SetupWithManager(mgr) if err != nil { diff --git a/controllers/istio/istio_controller.go b/controllers/istio/istio_controller.go index 24043a2ec..b013c9bf1 100644 --- a/controllers/istio/istio_controller.go +++ b/controllers/istio/istio_controller.go @@ -115,7 +115,6 @@ func (r *Reconciler) reconcileActiveRevision(ctx context.Context, istio *v1alpha return revision.CreateOrUpdate(ctx, r.Client, getActiveRevisionName(istio), - v1alpha1.IstioRevisionTypeLocal, istio.Spec.Version, istio.Spec.Namespace, values, metav1.OwnerReference{ APIVersion: v1alpha1.GroupVersion.String(), @@ -324,6 +323,8 @@ func convertConditionReason(reason v1alpha1.IstioRevisionConditionReason) v1alph return v1alpha1.IstioReasonReadinessCheckFailed case v1alpha1.IstioRevisionReasonReconcileError: return v1alpha1.IstioReasonReconcileError + case v1alpha1.IstioRevisionReasonRemoteIstiodNotReady: + return v1alpha1.IstioReasonRemoteIstiodNotReady default: panic(fmt.Sprintf("can't convert IstioRevisionConditionReason: %s", reason)) } diff --git a/controllers/istiorevision/istiorevision_controller.go b/controllers/istiorevision/istiorevision_controller.go index 13d162684..fb022237c 100644 --- a/controllers/istiorevision/istiorevision_controller.go +++ b/controllers/istiorevision/istiorevision_controller.go @@ -31,6 +31,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/helm" "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/reconciler" + "github.com/istio-ecosystem/sail-operator/pkg/revision" "github.com/istio-ecosystem/sail-operator/pkg/validation" admissionv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" @@ -61,8 +62,7 @@ const ( IstioRevLabel = "istio.io/rev" IstioSidecarInjectLabel = "sidecar.istio.io/inject" - istiodChartName = "istiod" - istiodRemoteChartName = "istiod-remote" + istiodChartName = "istiod" ) // Reconciler reconciles an IstioRevision object @@ -128,9 +128,6 @@ func (r *Reconciler) Finalize(ctx context.Context, rev *v1alpha1.IstioRevision) } func (r *Reconciler) validate(ctx context.Context, rev *v1alpha1.IstioRevision) error { - if rev.Spec.Type == "" { - return reconciler.NewValidationError("spec.type not set") - } if rev.Spec.Version == "" { return reconciler.NewValidationError("spec.version not set") } @@ -172,33 +169,22 @@ func (r *Reconciler) installHelmCharts(ctx context.Context, rev *v1alpha1.IstioR _, err := r.ChartManager.UpgradeOrInstallChart(ctx, r.getChartDir(rev), values, rev.Spec.Namespace, getReleaseName(rev), ownerReference) if err != nil { - return fmt.Errorf("failed to install/update Helm chart %q: %w", getChartName(rev), err) + return fmt.Errorf("failed to install/update Helm chart %q: %w", istiodChartName, err) } return nil } func getReleaseName(rev *v1alpha1.IstioRevision) string { - return fmt.Sprintf("%s-%s", rev.Name, getChartName(rev)) + return fmt.Sprintf("%s-%s", rev.Name, istiodChartName) } func (r *Reconciler) getChartDir(rev *v1alpha1.IstioRevision) string { - return path.Join(r.Config.ResourceDirectory, rev.Spec.Version, "charts", getChartName(rev)) -} - -func getChartName(rev *v1alpha1.IstioRevision) string { - switch rev.Spec.Type { - case v1alpha1.IstioRevisionTypeLocal: - return istiodChartName - case v1alpha1.IstioRevisionTypeRemote: - return istiodRemoteChartName - default: - panic(badIstioRevisionType(rev)) - } + return path.Join(r.Config.ResourceDirectory, rev.Spec.Version, "charts", istiodChartName) } func (r *Reconciler) uninstallHelmCharts(ctx context.Context, rev *v1alpha1.IstioRevision) error { if _, err := r.ChartManager.UninstallChart(ctx, getReleaseName(rev), rev.Spec.Namespace); err != nil { - return fmt.Errorf("failed to uninstall Helm chart %q: %w", getChartName(rev), err) + return fmt.Errorf("failed to uninstall Helm chart %q: %w", istiodChartName, err) } return nil } @@ -332,8 +318,7 @@ func (r *Reconciler) determineReadyCondition(ctx context.Context, rev *v1alpha1. Status: metav1.ConditionFalse, } - switch rev.Spec.Type { - case v1alpha1.IstioRevisionTypeLocal: + if !revision.IsUsingRemoteControlPlane(rev) { istiod := appsv1.Deployment{} if err := r.Client.Get(ctx, istiodDeploymentKey(rev), &istiod); err == nil { if istiod.Status.Replicas == 0 { @@ -354,7 +339,7 @@ func (r *Reconciler) determineReadyCondition(ctx context.Context, rev *v1alpha1. c.Message = fmt.Sprintf("failed to get readiness: %v", err) return c, fmt.Errorf("get failed: %w", err) } - case v1alpha1.IstioRevisionTypeRemote: + } else { webhook := admissionv1.MutatingWebhookConfiguration{} webhookKey := injectionWebhookKey(rev) if err := r.Client.Get(ctx, webhookKey, &webhook); err == nil { @@ -378,8 +363,6 @@ func (r *Reconciler) determineReadyCondition(ctx context.Context, rev *v1alpha1. c.Message = fmt.Sprintf("failed to get readiness: %v", err) return c, fmt.Errorf("get failed: %w", err) } - default: - panic(badIstioRevisionType(rev)) } return c, nil } @@ -610,10 +593,6 @@ func clearIgnoredFields(obj client.Object) { } } -func badIstioRevisionType(rev *v1alpha1.IstioRevision) string { - return fmt.Sprintf("unknown IstioRevisionType: %s", rev.Spec.Type) -} - func wrapEventHandler(logger logr.Logger, handler handler.EventHandler) handler.EventHandler { return enqueuelogger.WrapIfNecessary(v1alpha1.IstioRevisionKind, logger, handler) } diff --git a/controllers/istiorevision/istiorevision_controller_test.go b/controllers/istiorevision/istiorevision_controller_test.go index c27b76129..7c2f21b97 100644 --- a/controllers/istiorevision/istiorevision_controller_test.go +++ b/controllers/istiorevision/istiorevision_controller_test.go @@ -60,7 +60,6 @@ func TestValidate(t *testing.T) { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: "istio-system", Values: &v1alpha1.Values{ @@ -73,25 +72,6 @@ func TestValidate(t *testing.T) { objects: []client.Object{ns}, expectErr: "", }, - { - name: "no type", - rev: &v1alpha1.IstioRevision{ - ObjectMeta: metav1.ObjectMeta{ - Name: "default", - }, - Spec: v1alpha1.IstioRevisionSpec{ - Version: supportedversion.Default, - Namespace: "istio-system", - Values: &v1alpha1.Values{ - Global: &v1alpha1.GlobalConfig{ - IstioNamespace: ptr.Of("istio-system"), - }, - }, - }, - }, - objects: []client.Object{ns}, - expectErr: `spec.type not set`, - }, { name: "no version", rev: &v1alpha1.IstioRevision{ @@ -99,7 +79,6 @@ func TestValidate(t *testing.T) { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Namespace: "istio-system", }, }, @@ -113,7 +92,6 @@ func TestValidate(t *testing.T) { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, }, }, @@ -127,7 +105,6 @@ func TestValidate(t *testing.T) { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: "istio-system", }, @@ -142,7 +119,6 @@ func TestValidate(t *testing.T) { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: "istio-system", }, @@ -157,7 +133,6 @@ func TestValidate(t *testing.T) { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: "istio-system", Values: &v1alpha1.Values{ @@ -177,7 +152,6 @@ func TestValidate(t *testing.T) { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: "istio-system", Values: &v1alpha1.Values{ @@ -198,7 +172,6 @@ func TestValidate(t *testing.T) { Name: "my-revision", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: "istio-system", Values: &v1alpha1.Values{ @@ -293,7 +266,6 @@ func TestDetermineReadyCondition(t *testing.T) { testCases := []struct { name string - revType v1alpha1.IstioRevisionType values *v1alpha1.Values clientObjects []client.Object interceptors interceptor.Funcs @@ -418,9 +390,8 @@ func TestDetermineReadyCondition(t *testing.T) { expectErr: true, }, { - name: "Istiod-remote ready", - revType: v1alpha1.IstioRevisionTypeRemote, - values: nil, + name: "Istiod-remote ready", + values: &v1alpha1.Values{Profile: ptr.Of("remote")}, clientObjects: []client.Object{ &admissionv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ @@ -437,9 +408,8 @@ func TestDetermineReadyCondition(t *testing.T) { }, }, { - name: "Istiod-remote not ready", - revType: v1alpha1.IstioRevisionTypeRemote, - values: nil, + name: "Istiod-remote not ready", + values: &v1alpha1.Values{Profile: ptr.Of("remote")}, clientObjects: []client.Object{ &admissionv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ @@ -458,9 +428,8 @@ func TestDetermineReadyCondition(t *testing.T) { }, }, { - name: "Istiod-remote no readiness probe status annotation", - revType: v1alpha1.IstioRevisionTypeRemote, - values: nil, + name: "Istiod-remote no readiness probe status annotation", + values: &v1alpha1.Values{Profile: ptr.Of("remote")}, clientObjects: []client.Object{ &admissionv1.MutatingWebhookConfiguration{ ObjectMeta: metav1.ObjectMeta{ @@ -478,8 +447,7 @@ func TestDetermineReadyCondition(t *testing.T) { }, { name: "Istiod-remote webhook config not found", - revType: v1alpha1.IstioRevisionTypeRemote, - values: nil, + values: &v1alpha1.Values{Profile: ptr.Of("remote")}, clientObjects: []client.Object{}, expected: v1alpha1.IstioRevisionCondition{ Type: v1alpha1.IstioRevisionConditionReady, @@ -490,7 +458,7 @@ func TestDetermineReadyCondition(t *testing.T) { }, { name: "Istiod-remote client error on get", - revType: v1alpha1.IstioRevisionTypeRemote, + values: &v1alpha1.Values{Profile: ptr.Of("remote")}, clientObjects: []client.Object{}, interceptors: interceptor.Funcs{ Get: func(_ context.Context, _ client.WithWatch, _ client.ObjectKey, obj client.Object, _ ...client.GetOption) error { @@ -515,16 +483,12 @@ func TestDetermineReadyCondition(t *testing.T) { r := NewReconciler(cfg, cl, scheme.Scheme, nil) - if tt.revType == "" { - tt.revType = v1alpha1.IstioRevisionTypeLocal - } rev := &v1alpha1.IstioRevision{ ObjectMeta: metav1.ObjectMeta{ Name: "my-istio", }, Spec: v1alpha1.IstioRevisionSpec{ Namespace: "istio-system", - Type: tt.revType, Values: tt.values, }, } diff --git a/controllers/remoteistio/remoteistio_controller.go b/controllers/remoteistio/remoteistio_controller.go deleted file mode 100644 index fe92ebd00..000000000 --- a/controllers/remoteistio/remoteistio_controller.go +++ /dev/null @@ -1,315 +0,0 @@ -// Copyright Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package remoteistio - -import ( - "context" - "errors" - "fmt" - "reflect" - "strings" - "time" - - "github.com/go-logr/logr" - "github.com/istio-ecosystem/sail-operator/api/v1alpha1" - "github.com/istio-ecosystem/sail-operator/pkg/config" - "github.com/istio-ecosystem/sail-operator/pkg/errlist" - "github.com/istio-ecosystem/sail-operator/pkg/kube" - "github.com/istio-ecosystem/sail-operator/pkg/reconciler" - "github.com/istio-ecosystem/sail-operator/pkg/revision" - apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/controller" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/reconcile" - - "istio.io/istio/pkg/ptr" -) - -// Reconciler reconciles a RemoteIstio object -type Reconciler struct { - Config config.ReconcilerConfig - client.Client - Scheme *runtime.Scheme -} - -func NewReconciler(cfg config.ReconcilerConfig, client client.Client, scheme *runtime.Scheme) *Reconciler { - return &Reconciler{ - Config: cfg, - Client: client, - Scheme: scheme, - } -} - -// +kubebuilder:rbac:groups=sailoperator.io,resources=remoteistios,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=sailoperator.io,resources=remoteistios/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=sailoperator.io,resources=remoteistios/finalizers,verbs=update - -// Reconcile is part of the main kubernetes reconciliation loop which aims to -// move the current state of the cluster closer to the desired state. -// -// For more details, check Reconcile and its Result here: -// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.14.1/pkg/reconcile -func (r *Reconciler) Reconcile(ctx context.Context, istio *v1alpha1.RemoteIstio) (ctrl.Result, error) { - log := logf.FromContext(ctx) - - log.Info("Reconciling") - result, reconcileErr := r.doReconcile(ctx, istio) - - log.Info("Reconciliation done. Updating status.") - statusErr := r.updateStatus(ctx, istio, reconcileErr) - - return result, errors.Join(reconcileErr, statusErr) -} - -// doReconcile is the function that actually reconciles the Istio object. Any error reported by this -// function should get reported in the status of the Istio object by the caller. -func (r *Reconciler) doReconcile(ctx context.Context, istio *v1alpha1.RemoteIstio) (result ctrl.Result, err error) { - if err := validate(istio); err != nil { - return ctrl.Result{}, err - } - - if err = r.reconcileActiveRevision(ctx, istio); err != nil { - return ctrl.Result{}, err - } - - return revision.PruneInactive(ctx, r.Client, istio.UID, getActiveRevisionName(istio), getPruningGracePeriod(istio)) -} - -func validate(istio *v1alpha1.RemoteIstio) error { - if istio.Spec.Version == "" { - return reconciler.NewValidationError("spec.version not set") - } - if istio.Spec.Namespace == "" { - return reconciler.NewValidationError("spec.namespace not set") - } - return nil -} - -func (r *Reconciler) reconcileActiveRevision(ctx context.Context, istio *v1alpha1.RemoteIstio) error { - values, err := revision.ComputeValues( - istio.Spec.Values, istio.Spec.Namespace, istio.Spec.Version, - r.Config.Platform, r.Config.DefaultProfile, istio.Spec.Profile, - r.Config.ResourceDirectory, getActiveRevisionName(istio)) - if err != nil { - return err - } - - return revision.CreateOrUpdate(ctx, r.Client, - getActiveRevisionName(istio), - v1alpha1.IstioRevisionTypeRemote, - istio.Spec.Version, istio.Spec.Namespace, values, - metav1.OwnerReference{ - APIVersion: v1alpha1.GroupVersion.String(), - Kind: v1alpha1.RemoteIstioKind, - Name: istio.Name, - UID: istio.UID, - Controller: ptr.Of(true), - BlockOwnerDeletion: ptr.Of(true), - }) -} - -func getPruningGracePeriod(istio *v1alpha1.RemoteIstio) time.Duration { - strategy := istio.Spec.UpdateStrategy - period := int64(v1alpha1.DefaultRevisionDeletionGracePeriodSeconds) - if strategy != nil && strategy.InactiveRevisionDeletionGracePeriodSeconds != nil { - period = *strategy.InactiveRevisionDeletionGracePeriodSeconds - } - if period < v1alpha1.MinRevisionDeletionGracePeriodSeconds { - period = v1alpha1.MinRevisionDeletionGracePeriodSeconds - } - return time.Duration(period) * time.Second -} - -func (r *Reconciler) getActiveRevision(ctx context.Context, istio *v1alpha1.RemoteIstio) (v1alpha1.IstioRevision, error) { - rev := v1alpha1.IstioRevision{} - err := r.Client.Get(ctx, getActiveRevisionKey(istio), &rev) - if err != nil { - return rev, fmt.Errorf("get failed: %w", err) - } - return rev, nil -} - -func getActiveRevisionKey(istio *v1alpha1.RemoteIstio) types.NamespacedName { - return types.NamespacedName{ - Name: getActiveRevisionName(istio), - } -} - -func getActiveRevisionName(istio *v1alpha1.RemoteIstio) string { - var strategy v1alpha1.UpdateStrategyType - if istio.Spec.UpdateStrategy != nil { - strategy = istio.Spec.UpdateStrategy.Type - } - - switch strategy { - default: - fallthrough - case v1alpha1.UpdateStrategyTypeInPlace: - return istio.Name - case v1alpha1.UpdateStrategyTypeRevisionBased: - return istio.Name + "-" + strings.ReplaceAll(istio.Spec.Version, ".", "-") - } -} - -func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { - return ctrl.NewControllerManagedBy(mgr). - WithOptions(controller.Options{ - LogConstructor: func(req *reconcile.Request) logr.Logger { - log := mgr.GetLogger().WithName("ctrlr").WithName("remoteistio") - if req != nil { - log = log.WithValues("RemoteIstio", req.Name) - } - return log - }, - }). - For(&v1alpha1.RemoteIstio{}). - Owns(&v1alpha1.IstioRevision{}). - Complete(reconciler.NewStandardReconciler[*v1alpha1.RemoteIstio](r.Client, r.Reconcile)) -} - -func (r *Reconciler) determineStatus(ctx context.Context, istio *v1alpha1.RemoteIstio, reconcileErr error) (v1alpha1.RemoteIstioStatus, error) { - var errs errlist.Builder - status := *istio.Status.DeepCopy() - status.ObservedGeneration = istio.Generation - - // set Reconciled and Ready conditions - if reconcileErr != nil { - status.SetCondition(v1alpha1.RemoteIstioCondition{ - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonReconcileError, - Message: reconcileErr.Error(), - }) - status.SetCondition(v1alpha1.RemoteIstioCondition{ - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionUnknown, - Reason: v1alpha1.RemoteIstioReasonReconcileError, - Message: "cannot determine readiness due to reconciliation error", - }) - status.State = v1alpha1.RemoteIstioReasonReconcileError - } else { - status.ActiveRevisionName = getActiveRevisionName(istio) - rev, err := r.getActiveRevision(ctx, istio) - if apierrors.IsNotFound(err) { - revisionNotFound := func(conditionType v1alpha1.RemoteIstioConditionType) v1alpha1.RemoteIstioCondition { - return v1alpha1.RemoteIstioCondition{ - Type: conditionType, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonRevisionNotFound, - Message: "active IstioRevision not found", - } - } - - status.SetCondition(revisionNotFound(v1alpha1.RemoteIstioConditionReconciled)) - status.SetCondition(revisionNotFound(v1alpha1.RemoteIstioConditionReady)) - status.State = v1alpha1.RemoteIstioReasonRevisionNotFound - } else if err == nil { - status.SetCondition(convertCondition(rev.Status.GetCondition(v1alpha1.IstioRevisionConditionReconciled))) - status.SetCondition(convertCondition(rev.Status.GetCondition(v1alpha1.IstioRevisionConditionReady))) - status.State = convertConditionReason(rev.Status.State) - } else { - activeRevisionGetFailed := func(conditionType v1alpha1.RemoteIstioConditionType) v1alpha1.RemoteIstioCondition { - return v1alpha1.RemoteIstioCondition{ - Type: conditionType, - Status: metav1.ConditionUnknown, - Reason: v1alpha1.RemoteIstioReasonFailedToGetActiveRevision, - Message: fmt.Sprintf("failed to get active IstioRevision: %s", err), - } - } - status.SetCondition(activeRevisionGetFailed(v1alpha1.RemoteIstioConditionReconciled)) - status.SetCondition(activeRevisionGetFailed(v1alpha1.RemoteIstioConditionReady)) - status.State = v1alpha1.RemoteIstioReasonFailedToGetActiveRevision - errs.Add(fmt.Errorf("failed to get active IstioRevision: %w", err)) - } - } - - // count the ready, in-use, and total revisions - if revs, err := revision.ListOwned(ctx, r.Client, istio.UID); err == nil { - status.Revisions.Total = int32(len(revs)) - status.Revisions.Ready = 0 - status.Revisions.InUse = 0 - for _, rev := range revs { - if rev.Status.GetCondition(v1alpha1.IstioRevisionConditionReady).Status == metav1.ConditionTrue { - status.Revisions.Ready++ - } - if rev.Status.GetCondition(v1alpha1.IstioRevisionConditionInUse).Status == metav1.ConditionTrue { - status.Revisions.InUse++ - } - } - } else { - status.Revisions.Total = -1 - status.Revisions.Ready = -1 - status.Revisions.InUse = -1 - errs.Add(err) - } - return status, errs.Error() -} - -func (r *Reconciler) updateStatus(ctx context.Context, istio *v1alpha1.RemoteIstio, reconcileErr error) error { - var errs errlist.Builder - status, err := r.determineStatus(ctx, istio, reconcileErr) - if err != nil { - errs.Add(fmt.Errorf("failed to determine status: %w", err)) - } - - if !reflect.DeepEqual(istio.Status, status) { - if err := r.Client.Status().Patch(ctx, istio, kube.NewStatusPatch(status)); err != nil { - errs.Add(fmt.Errorf("failed to patch status: %w", err)) - } - } - return errs.Error() -} - -func convertCondition(condition v1alpha1.IstioRevisionCondition) v1alpha1.RemoteIstioCondition { - return v1alpha1.RemoteIstioCondition{ - Type: convertConditionType(condition), - Status: condition.Status, - Reason: convertConditionReason(condition.Reason), - Message: condition.Message, - } -} - -func convertConditionType(condition v1alpha1.IstioRevisionCondition) v1alpha1.RemoteIstioConditionType { - switch condition.Type { - case v1alpha1.IstioRevisionConditionReconciled: - return v1alpha1.RemoteIstioConditionReconciled - case v1alpha1.IstioRevisionConditionReady: - return v1alpha1.RemoteIstioConditionReady - default: - panic(fmt.Sprintf("can't convert IstioRevisionConditionType: %s", condition.Type)) - } -} - -func convertConditionReason(reason v1alpha1.IstioRevisionConditionReason) v1alpha1.RemoteIstioConditionReason { - switch reason { - case "": - return "" - case v1alpha1.IstioRevisionReasonRemoteIstiodNotReady: - return v1alpha1.RemoteIstioReasonIstiodNotReady - case v1alpha1.IstioRevisionReasonHealthy: - return v1alpha1.RemoteIstioReasonHealthy - case v1alpha1.IstioRevisionReasonReadinessCheckFailed: - return v1alpha1.RemoteIstioReasonReadinessCheckFailed - case v1alpha1.IstioRevisionReasonReconcileError: - return v1alpha1.RemoteIstioReasonReconcileError - default: - panic(fmt.Sprintf("can't convert IstioRevisionConditionReason: %s", reason)) - } -} diff --git a/controllers/remoteistio/remoteistio_controller_test.go b/controllers/remoteistio/remoteistio_controller_test.go deleted file mode 100644 index 8b74879f2..000000000 --- a/controllers/remoteistio/remoteistio_controller_test.go +++ /dev/null @@ -1,927 +0,0 @@ -// Copyright Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package remoteistio - -import ( - "context" - "fmt" - "runtime/debug" - "testing" - "time" - - "github.com/google/go-cmp/cmp" - "github.com/istio-ecosystem/sail-operator/api/v1alpha1" - "github.com/istio-ecosystem/sail-operator/pkg/config" - "github.com/istio-ecosystem/sail-operator/pkg/scheme" - "github.com/istio-ecosystem/sail-operator/pkg/test/testtime" - "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" - . "github.com/onsi/gomega" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/client/fake" - "sigs.k8s.io/controller-runtime/pkg/client/interceptor" - - "istio.io/istio/pkg/ptr" -) - -var ( - ctx = context.Background() - istioNamespace = "my-istio-namespace" - istioName = "my-istio" - istioKey = types.NamespacedName{ - Name: istioName, - } - istioUID = types.UID("my-istio-uid") - objectMeta = metav1.ObjectMeta{ - Name: istioKey.Name, - } -) - -func TestReconcile(t *testing.T) { - cfg := newReconcilerTestConfig(t) - - t.Run("returns error when Istio version not set", func(t *testing.T) { - istio := &v1alpha1.RemoteIstio{ - ObjectMeta: objectMeta, - } - - cl := newFakeClientBuilder(). - WithObjects(istio). - Build() - reconciler := NewReconciler(cfg, cl, scheme.Scheme) - - _, err := reconciler.Reconcile(ctx, istio) - if err == nil { - t.Errorf("Expected an error, but got nil") - } - - Must(t, cl.Get(ctx, istioKey, istio)) - - if istio.Status.State != v1alpha1.RemoteIstioReasonReconcileError { - t.Errorf("Expected status.state to be %q, but got %q", v1alpha1.RemoteIstioReasonReconcileError, istio.Status.State) - } - - reconciledCond := istio.Status.GetCondition(v1alpha1.RemoteIstioConditionReconciled) - if reconciledCond.Status != metav1.ConditionFalse { - t.Errorf("Expected Reconciled condition status to be %q, but got %q", metav1.ConditionFalse, reconciledCond.Status) - } - - readyCond := istio.Status.GetCondition(v1alpha1.RemoteIstioConditionReady) - if readyCond.Status != metav1.ConditionUnknown { - t.Errorf("Expected Reconciled condition status to be %q, but got %q", metav1.ConditionUnknown, readyCond.Status) - } - }) - - t.Run("returns error when computeIstioRevisionValues fails", func(t *testing.T) { - istio := &v1alpha1.RemoteIstio{ - ObjectMeta: objectMeta, - Spec: v1alpha1.RemoteIstioSpec{ - Version: "my-version", - }, - } - - cl := newFakeClientBuilder(). - WithStatusSubresource(&v1alpha1.RemoteIstio{}). - WithObjects(istio). - Build() - cfg := newReconcilerTestConfig(t) - cfg.DefaultProfile = "invalid-profile" - reconciler := NewReconciler(cfg, cl, scheme.Scheme) - - _, err := reconciler.Reconcile(ctx, istio) - if err == nil { - t.Errorf("Expected an error, but got nil") - } - - Must(t, cl.Get(ctx, istioKey, istio)) - - if istio.Status.State != v1alpha1.RemoteIstioReasonReconcileError { - t.Errorf("Expected status.state to be %q, but got %q", v1alpha1.RemoteIstioReasonReconcileError, istio.Status.State) - } - - reconciledCond := istio.Status.GetCondition(v1alpha1.RemoteIstioConditionReconciled) - if reconciledCond.Status != metav1.ConditionFalse { - t.Errorf("Expected Reconciled condition status to be %q, but got %q", metav1.ConditionFalse, reconciledCond.Status) - } - - readyCond := istio.Status.GetCondition(v1alpha1.RemoteIstioConditionReady) - if readyCond.Status != metav1.ConditionUnknown { - t.Errorf("Expected Reconciled condition status to be %q, but got %q", metav1.ConditionUnknown, readyCond.Status) - } - }) - - t.Run("returns error when reconcileActiveRevision fails", func(t *testing.T) { - istio := &v1alpha1.RemoteIstio{ - ObjectMeta: objectMeta, - Spec: v1alpha1.RemoteIstioSpec{ - Version: "my-version", - }, - } - - cl := newFakeClientBuilder(). - WithObjects(istio). - WithInterceptorFuncs(interceptor.Funcs{ - Create: func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.CreateOption) error { - return fmt.Errorf("internal error") - }, - }). - Build() - reconciler := NewReconciler(cfg, cl, scheme.Scheme) - - _, err := reconciler.Reconcile(ctx, istio) - if err == nil { - t.Errorf("Expected an error, but got nil") - } - - Must(t, cl.Get(ctx, istioKey, istio)) - - if istio.Status.State != v1alpha1.RemoteIstioReasonReconcileError { - t.Errorf("Expected status.state to be %q, but got %q", v1alpha1.RemoteIstioReasonReconcileError, istio.Status.State) - } - - reconciledCond := istio.Status.GetCondition(v1alpha1.RemoteIstioConditionReconciled) - if reconciledCond.Status != metav1.ConditionFalse { - t.Errorf("Expected Reconciled condition status to be %q, but got %q", metav1.ConditionFalse, reconciledCond.Status) - } - - readyCond := istio.Status.GetCondition(v1alpha1.RemoteIstioConditionReady) - if readyCond.Status != metav1.ConditionUnknown { - t.Errorf("Expected Reconciled condition status to be %q, but got %q", metav1.ConditionUnknown, readyCond.Status) - } - }) -} - -func TestValidate(t *testing.T) { - testCases := []struct { - name string - istio *v1alpha1.RemoteIstio - expectErr string - }{ - { - name: "success", - istio: &v1alpha1.RemoteIstio{ - ObjectMeta: metav1.ObjectMeta{ - Name: "default", - }, - Spec: v1alpha1.RemoteIstioSpec{ - Version: supportedversion.Default, - Namespace: "istio-system", - }, - }, - expectErr: "", - }, - { - name: "no version", - istio: &v1alpha1.RemoteIstio{ - ObjectMeta: metav1.ObjectMeta{ - Name: "default", - }, - Spec: v1alpha1.RemoteIstioSpec{ - Namespace: "istio-system", - }, - }, - expectErr: "spec.version not set", - }, - { - name: "no namespace", - istio: &v1alpha1.RemoteIstio{ - ObjectMeta: metav1.ObjectMeta{ - Name: "default", - }, - Spec: v1alpha1.RemoteIstioSpec{ - Version: supportedversion.Default, - }, - }, - expectErr: "spec.namespace not set", - }, - } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - g := NewWithT(t) - - err := validate(tc.istio) - if tc.expectErr == "" { - g.Expect(err).ToNot(HaveOccurred()) - } else { - g.Expect(err).To(HaveOccurred()) - g.Expect(err.Error()).To(ContainSubstring(tc.expectErr)) - } - }) - } -} - -func TestDetermineStatus(t *testing.T) { - cfg := newReconcilerTestConfig(t) - - generation := int64(100) - - ownedByIstio := metav1.OwnerReference{ - APIVersion: v1alpha1.GroupVersion.String(), - Kind: v1alpha1.RemoteIstioKind, - Name: istioName, - UID: istioUID, - Controller: ptr.Of(true), - BlockOwnerDeletion: ptr.Of(true), - } - - ownedByAnotherIstio := metav1.OwnerReference{ - APIVersion: v1alpha1.GroupVersion.String(), - Kind: v1alpha1.RemoteIstioKind, - Name: "some-other-Istio", - UID: "some-other-uid", - Controller: ptr.Of(true), - BlockOwnerDeletion: ptr.Of(true), - } - - revision := func(name string, ownerRef metav1.OwnerReference, reconciled, ready, inUse bool) v1alpha1.IstioRevision { - return v1alpha1.IstioRevision{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - OwnerReferences: []metav1.OwnerReference{ownerRef}, - }, - Spec: v1alpha1.IstioRevisionSpec{Namespace: istioNamespace}, - Status: v1alpha1.IstioRevisionStatus{ - State: v1alpha1.IstioRevisionReasonHealthy, - Conditions: []v1alpha1.IstioRevisionCondition{ - {Type: v1alpha1.IstioRevisionConditionReconciled, Status: toConditionStatus(reconciled)}, - {Type: v1alpha1.IstioRevisionConditionReady, Status: toConditionStatus(ready)}, - {Type: v1alpha1.IstioRevisionConditionInUse, Status: toConditionStatus(inUse)}, - }, - }, - } - } - - testCases := []struct { - name string - reconciliationErr error - istio *v1alpha1.RemoteIstio - revisions []v1alpha1.IstioRevision - interceptorFuncs *interceptor.Funcs - wantErr bool - expectedStatus v1alpha1.RemoteIstioStatus - }{ - { - name: "reconciliation error", - reconciliationErr: fmt.Errorf("reconciliation error"), - wantErr: false, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonReconcileError, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonReconcileError, - Message: "reconciliation error", - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionUnknown, - Reason: v1alpha1.RemoteIstioReasonReconcileError, - Message: "cannot determine readiness due to reconciliation error", - }, - }, - }, - }, - { - name: "mirrors status of active revision", - wantErr: false, - revisions: []v1alpha1.IstioRevision{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: istioKey.Name, - OwnerReferences: []metav1.OwnerReference{ownedByIstio}, - }, - Spec: v1alpha1.IstioRevisionSpec{ - Namespace: istioNamespace, - }, - Status: v1alpha1.IstioRevisionStatus{ - State: v1alpha1.IstioRevisionReasonHealthy, - Conditions: []v1alpha1.IstioRevisionCondition{ - { - Type: v1alpha1.IstioRevisionConditionReconciled, - Status: metav1.ConditionTrue, - Reason: v1alpha1.IstioRevisionReasonHealthy, - Message: "reconciled message", - }, - { - Type: v1alpha1.IstioRevisionConditionReady, - Status: metav1.ConditionTrue, - Reason: v1alpha1.IstioRevisionReasonHealthy, - Message: "ready message", - }, - }, - }, - }, - { - ObjectMeta: metav1.ObjectMeta{ - Name: istioKey.Name + "-not-active", - OwnerReferences: []metav1.OwnerReference{ownedByIstio}, - }, - Spec: v1alpha1.IstioRevisionSpec{ - Namespace: istioNamespace, - }, - Status: v1alpha1.IstioRevisionStatus{ - State: v1alpha1.IstioRevisionReasonHealthy, - Conditions: []v1alpha1.IstioRevisionCondition{ - { - Type: v1alpha1.IstioRevisionConditionReconciled, - Status: metav1.ConditionFalse, - Reason: v1alpha1.IstioRevisionReasonHealthy, - Message: "shouldn't mirror this revision", - }, - { - Type: v1alpha1.IstioRevisionConditionReady, - Status: metav1.ConditionFalse, - Reason: v1alpha1.IstioRevisionReasonHealthy, - Message: "shouldn't mirror this revision", - }, - }, - }, - }, - }, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonHealthy, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionTrue, - Reason: v1alpha1.RemoteIstioReasonHealthy, - Message: "reconciled message", - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionTrue, - Reason: v1alpha1.RemoteIstioReasonHealthy, - Message: "ready message", - }, - }, - ActiveRevisionName: istioKey.Name, - Revisions: v1alpha1.RevisionSummary{ - Total: 2, - Ready: 1, - InUse: 0, - }, - }, - }, - { - name: "shows correct revision counts", - wantErr: false, - revisions: []v1alpha1.IstioRevision{ - // owned by the Istio under test; 3 todal, 2 ready, 1 in use - revision(istioKey.Name, ownedByIstio, true, true, true), - revision(istioKey.Name+"-old1", ownedByIstio, true, true, false), - revision(istioKey.Name+"-old2", ownedByIstio, true, false, false), - // not owned by the Istio being tested; shouldn't affect counts - revision("some-other-istio", ownedByAnotherIstio, true, true, true), - }, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonHealthy, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionTrue, - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionTrue, - }, - }, - ActiveRevisionName: istioKey.Name, - Revisions: v1alpha1.RevisionSummary{ - Total: 3, - Ready: 2, - InUse: 1, - }, - }, - }, - { - name: "active revision not found", - wantErr: false, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonRevisionNotFound, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonRevisionNotFound, - Message: "active IstioRevision not found", - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonRevisionNotFound, - Message: "active IstioRevision not found", - }, - }, - ActiveRevisionName: istioKey.Name, - }, - }, - { - name: "get active revision error", - interceptorFuncs: &interceptor.Funcs{ - Get: func(_ context.Context, _ client.WithWatch, _ client.ObjectKey, obj client.Object, _ ...client.GetOption) error { - if _, ok := obj.(*v1alpha1.IstioRevision); ok { - return fmt.Errorf("simulated error") - } - return nil - }, - }, - wantErr: true, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonFailedToGetActiveRevision, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionUnknown, - Reason: v1alpha1.RemoteIstioReasonFailedToGetActiveRevision, - Message: "failed to get active IstioRevision: get failed: simulated error", - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionUnknown, - Reason: v1alpha1.RemoteIstioReasonFailedToGetActiveRevision, - Message: "failed to get active IstioRevision: get failed: simulated error", - }, - }, - ActiveRevisionName: istioKey.Name, - Revisions: v1alpha1.RevisionSummary{}, - }, - }, - { - name: "list revisions error", - interceptorFuncs: &interceptor.Funcs{ - List: func(_ context.Context, _ client.WithWatch, list client.ObjectList, _ ...client.ListOption) error { - if _, ok := list.(*v1alpha1.IstioRevisionList); ok { - return fmt.Errorf("simulated error") - } - return nil - }, - }, - wantErr: true, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonRevisionNotFound, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonRevisionNotFound, - Message: "active IstioRevision not found", - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonRevisionNotFound, - Message: "active IstioRevision not found", - }, - }, - ActiveRevisionName: istioKey.Name, - Revisions: v1alpha1.RevisionSummary{ - Total: -1, - Ready: -1, - InUse: -1, - }, - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - var interceptorFuncs interceptor.Funcs - if tc.interceptorFuncs != nil { - interceptorFuncs = *tc.interceptorFuncs - } - - istio := tc.istio - if istio == nil { - istio = &v1alpha1.RemoteIstio{ - ObjectMeta: metav1.ObjectMeta{ - Name: istioKey.Name, - UID: istioUID, - Generation: 100, - }, - Spec: v1alpha1.RemoteIstioSpec{ - Version: "my-version", - Namespace: istioNamespace, - }, - } - } - - initObjs := []client.Object{istio} - for _, rev := range tc.revisions { - rev := rev - initObjs = append(initObjs, &rev) - } - - cl := newFakeClientBuilder(). - WithObjects(initObjs...). - WithInterceptorFuncs(interceptorFuncs). - Build() - reconciler := NewReconciler(cfg, cl, scheme.Scheme) - - status, err := reconciler.determineStatus(ctx, istio, tc.reconciliationErr) - if (err != nil) != tc.wantErr { - t.Errorf("determineStatus() error = %v, wantErr %v", err, tc.wantErr) - } - - if diff := cmp.Diff(tc.expectedStatus, clearTimestamps(status)); diff != "" { - t.Errorf("returned status wasn't as expected; diff (-expected, +actual):\n%v", diff) - } - }) - } -} - -func TestUpdateStatus(t *testing.T) { - cfg := newReconcilerTestConfig(t) - - generation := int64(100) - oneMinuteAgo := testtime.OneMinuteAgo() - - testCases := []struct { - name string - reconciliationErr error - istio *v1alpha1.RemoteIstio - revisions []v1alpha1.IstioRevision - interceptorFuncs *interceptor.Funcs - disallowWrites bool - wantErr bool - expectedStatus v1alpha1.RemoteIstioStatus - - skipInterceptors bool // used internally by test implementation when it wants to get around the interceptor - }{ - { - name: "updates status even when determineStatus returns error", - interceptorFuncs: &interceptor.Funcs{ - List: func(_ context.Context, _ client.WithWatch, list client.ObjectList, _ ...client.ListOption) error { - if _, ok := list.(*v1alpha1.IstioRevisionList); ok { - return fmt.Errorf("simulated error") - } - return nil - }, - }, - wantErr: true, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonRevisionNotFound, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonRevisionNotFound, - Message: "active IstioRevision not found", - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionFalse, - Reason: v1alpha1.RemoteIstioReasonRevisionNotFound, - Message: "active IstioRevision not found", - }, - }, - ActiveRevisionName: istioKey.Name, - Revisions: v1alpha1.RevisionSummary{ - Total: -1, - Ready: -1, - InUse: -1, - }, - }, - }, - { - name: "skips update when status unchanged", - istio: &v1alpha1.RemoteIstio{ - ObjectMeta: metav1.ObjectMeta{ - Name: istioKey.Name, - UID: istioUID, - Generation: 100, - }, - Spec: v1alpha1.RemoteIstioSpec{ - Version: "my-version", - Namespace: istioNamespace, - }, - Status: v1alpha1.RemoteIstioStatus{ - ObservedGeneration: 100, - State: v1alpha1.RemoteIstioReasonHealthy, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionTrue, - Reason: v1alpha1.RemoteIstioReasonHealthy, - Message: "reconciled message", - LastTransitionTime: *oneMinuteAgo, - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionTrue, - Reason: v1alpha1.RemoteIstioReasonHealthy, - Message: "ready message", - LastTransitionTime: *oneMinuteAgo, - }, - }, - ActiveRevisionName: istioKey.Name, - }, - }, - revisions: []v1alpha1.IstioRevision{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: istioKey.Name, - }, - Spec: v1alpha1.IstioRevisionSpec{ - Namespace: istioNamespace, - }, - Status: v1alpha1.IstioRevisionStatus{ - State: v1alpha1.IstioRevisionReasonHealthy, - Conditions: []v1alpha1.IstioRevisionCondition{ - { - Type: v1alpha1.IstioRevisionConditionReconciled, - Status: metav1.ConditionTrue, - Reason: v1alpha1.IstioRevisionReasonHealthy, - Message: "reconciled message", - LastTransitionTime: *oneMinuteAgo, - }, - { - Type: v1alpha1.IstioRevisionConditionReady, - Status: metav1.ConditionTrue, - Reason: v1alpha1.IstioRevisionReasonHealthy, - Message: "ready message", - LastTransitionTime: *oneMinuteAgo, - }, - }, - }, - }, - }, - expectedStatus: v1alpha1.RemoteIstioStatus{ - State: v1alpha1.RemoteIstioReasonHealthy, - ObservedGeneration: generation, - Conditions: []v1alpha1.RemoteIstioCondition{ - { - Type: v1alpha1.RemoteIstioConditionReconciled, - Status: metav1.ConditionTrue, - Reason: v1alpha1.RemoteIstioReasonHealthy, - Message: "reconciled message", - }, - { - Type: v1alpha1.RemoteIstioConditionReady, - Status: metav1.ConditionTrue, - Reason: v1alpha1.RemoteIstioReasonHealthy, - Message: "ready message", - }, - }, - ActiveRevisionName: istioKey.Name, - }, - disallowWrites: true, - wantErr: false, - }, - { - name: "returns status update error", - interceptorFuncs: &interceptor.Funcs{ - SubResourcePatch: func(_ context.Context, _ client.Client, _ string, _ client.Object, _ client.Patch, _ ...client.SubResourcePatchOption) error { - return fmt.Errorf("patch status error") - }, - }, - wantErr: true, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - var interceptorFuncs interceptor.Funcs - if tc.disallowWrites { - if tc.interceptorFuncs != nil { - panic("can't use disallowWrites and interceptorFuncs at the same time") - } - interceptorFuncs = noWrites(t) - } else if tc.interceptorFuncs != nil { - interceptorFuncs = *tc.interceptorFuncs - } - - istio := tc.istio - if istio == nil { - istio = &v1alpha1.RemoteIstio{ - ObjectMeta: metav1.ObjectMeta{ - Name: istioKey.Name, - UID: istioUID, - Generation: 100, - }, - Spec: v1alpha1.RemoteIstioSpec{ - Version: "my-version", - Namespace: istioNamespace, - }, - } - } - - initObjs := []client.Object{istio} - for _, rev := range tc.revisions { - rev := rev - initObjs = append(initObjs, &rev) - } - - cl := newFakeClientBuilder(). - WithObjects(initObjs...). - WithInterceptorFuncs(interceptorFuncs). - Build() - reconciler := NewReconciler(cfg, cl, scheme.Scheme) - - err := reconciler.updateStatus(ctx, istio, tc.reconciliationErr) - if (err != nil) != tc.wantErr { - t.Errorf("updateStatus() error = %v, wantErr %v", err, tc.wantErr) - } - - Must(t, cl.Get(ctx, istioKey, istio)) - if diff := cmp.Diff(tc.expectedStatus, clearTimestamps(istio.Status)); diff != "" { - t.Errorf("returned status wasn't as expected; diff (-expected, +actual):\n%v", diff) - } - }) - } -} - -func clearTimestamps(status v1alpha1.RemoteIstioStatus) v1alpha1.RemoteIstioStatus { - for i := range status.Conditions { - status.Conditions[i].LastTransitionTime = metav1.Time{} - } - return status -} - -func toConditionStatus(b bool) metav1.ConditionStatus { - if b { - return metav1.ConditionTrue - } - return metav1.ConditionFalse -} - -func TestGetActiveRevisionName(t *testing.T) { - tests := []struct { - name string - version string - updateStrategyType *v1alpha1.UpdateStrategyType - expectedRevisionName string - }{ - { - name: "No update strategy specified", - version: "1.0.0", - updateStrategyType: nil, - expectedRevisionName: "test-istio", - }, - { - name: "InPlace", - version: "1.0.0", - updateStrategyType: ptr.Of(v1alpha1.UpdateStrategyTypeInPlace), - expectedRevisionName: "test-istio", - }, - { - name: "RevisionBased v1.0.0", - version: "1.0.0", - updateStrategyType: ptr.Of(v1alpha1.UpdateStrategyTypeRevisionBased), - expectedRevisionName: "test-istio-1-0-0", - }, - { - name: "RevisionBased v2.0.0", - version: "2.0.0", - updateStrategyType: ptr.Of(v1alpha1.UpdateStrategyTypeRevisionBased), - expectedRevisionName: "test-istio-2-0-0", - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - istio := &v1alpha1.RemoteIstio{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-istio", - }, - Spec: v1alpha1.RemoteIstioSpec{ - Version: tt.version, - }, - } - if tt.updateStrategyType != nil { - istio.Spec.UpdateStrategy = &v1alpha1.IstioUpdateStrategy{ - Type: *tt.updateStrategyType, - } - } - actual := getActiveRevisionName(istio) - if actual != tt.expectedRevisionName { - t.Errorf("getActiveRevisionName() = %v, want %v", actual, tt.expectedRevisionName) - } - }) - } -} - -func newFakeClientBuilder() *fake.ClientBuilder { - return fake.NewClientBuilder(). - WithScheme(scheme.Scheme). - WithStatusSubresource(&v1alpha1.RemoteIstio{}) -} - -func TestGetPruningGracePeriod(t *testing.T) { - tests := []struct { - name string - updateStrategy *v1alpha1.IstioUpdateStrategy - expected time.Duration - }{ - { - name: "Nil update strategy", - updateStrategy: nil, - expected: v1alpha1.DefaultRevisionDeletionGracePeriodSeconds * time.Second, - }, - { - name: "Nil grace period", - updateStrategy: &v1alpha1.IstioUpdateStrategy{}, - expected: v1alpha1.DefaultRevisionDeletionGracePeriodSeconds * time.Second, - }, - { - name: "Grace period less than minimum", - updateStrategy: &v1alpha1.IstioUpdateStrategy{ - InactiveRevisionDeletionGracePeriodSeconds: ptr.Of(int64(v1alpha1.MinRevisionDeletionGracePeriodSeconds - 10)), - }, - expected: v1alpha1.MinRevisionDeletionGracePeriodSeconds * time.Second, - }, - { - name: "Grace period more than minimum", - updateStrategy: &v1alpha1.IstioUpdateStrategy{ - InactiveRevisionDeletionGracePeriodSeconds: ptr.Of(int64(v1alpha1.MinRevisionDeletionGracePeriodSeconds + 10)), - }, - expected: (v1alpha1.MinRevisionDeletionGracePeriodSeconds + 10) * time.Second, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - istio := &v1alpha1.RemoteIstio{ - Spec: v1alpha1.RemoteIstioSpec{ - UpdateStrategy: tt.updateStrategy, - }, - } - got := getPruningGracePeriod(istio) - if got != tt.expected { - t.Errorf("getPruningGracePeriod() = %v, want %v", got, tt.expected) - } - }) - } -} - -func Must(t *testing.T, err error) { - t.Helper() - if err != nil { - t.Fatal(err) - } -} - -func noWrites(t *testing.T) interceptor.Funcs { - return interceptor.Funcs{ - Create: func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.CreateOption) error { - t.Fatal("unexpected call to Create in", string(debug.Stack())) - return nil - }, - Update: func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.UpdateOption) error { - t.Fatal("unexpected call to Update in", string(debug.Stack())) - return nil - }, - Delete: func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.DeleteOption) error { - t.Fatal("unexpected call to Delete in", string(debug.Stack())) - return nil - }, - Patch: func(_ context.Context, _ client.WithWatch, _ client.Object, _ client.Patch, _ ...client.PatchOption) error { - t.Fatal("unexpected call to Patch in", string(debug.Stack())) - return nil - }, - DeleteAllOf: func(_ context.Context, _ client.WithWatch, _ client.Object, _ ...client.DeleteAllOfOption) error { - t.Fatal("unexpected call to DeleteAllOf in", string(debug.Stack())) - return nil - }, - SubResourceCreate: func(_ context.Context, _ client.Client, _ string, _ client.Object, _ client.Object, _ ...client.SubResourceCreateOption) error { - t.Fatal("unexpected call to SubResourceCreate in", string(debug.Stack())) - return nil - }, - SubResourceUpdate: func(_ context.Context, _ client.Client, _ string, _ client.Object, _ ...client.SubResourceUpdateOption) error { - t.Fatal("unexpected call to SubResourceUpdate in", string(debug.Stack())) - return nil - }, - SubResourcePatch: func(_ context.Context, _ client.Client, _ string, obj client.Object, _ client.Patch, _ ...client.SubResourcePatchOption) error { - t.Fatalf("unexpected call to SubResourcePatch with the object %+v: %v", obj, string(debug.Stack())) - return nil - }, - } -} - -func newReconcilerTestConfig(t *testing.T) config.ReconcilerConfig { - return config.ReconcilerConfig{ - ResourceDirectory: t.TempDir(), - Platform: config.PlatformKubernetes, - DefaultProfile: "", - } -} diff --git a/controllers/webhook/webhook_controller.go b/controllers/webhook/webhook_controller.go index fe6ef714b..142a60b44 100644 --- a/controllers/webhook/webhook_controller.go +++ b/controllers/webhook/webhook_controller.go @@ -30,6 +30,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/constants" "github.com/istio-ecosystem/sail-operator/pkg/enqueuelogger" "github.com/istio-ecosystem/sail-operator/pkg/reconciler" + "github.com/istio-ecosystem/sail-operator/pkg/revision" admissionv1 "k8s.io/api/admissionregistration/v1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" @@ -74,15 +75,21 @@ func NewReconciler(client client.Client, scheme *runtime.Scheme) *Reconciler { // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.14.1/pkg/reconcile func (r *Reconciler) Reconcile(ctx context.Context, webhook *admissionv1.MutatingWebhookConfiguration) (ctrl.Result, error) { + log := logf.FromContext(ctx) + isReady, err := r.probe(ctx, webhook) + reason := "" if err != nil { - isReady = false + log.V(3).Error(err, "Probe failed") + reason = err.Error() } if webhook.Annotations == nil { webhook.Annotations = make(map[string]string) } webhook.Annotations[constants.WebhookReadinessProbeStatusAnnotationKey] = strconv.FormatBool(isReady) + webhook.Annotations[constants.WebhookReadinessProbeStatusReasonAnnotationKey] = reason + err = r.Client.Update(ctx, webhook) if err != nil { return ctrl.Result{}, err @@ -91,7 +98,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, webhook *admissionv1.Mutatin } func doProbe(ctx context.Context, webhook *admissionv1.MutatingWebhookConfiguration) (bool, error) { - log := logf.FromContext(ctx).V(3) + log := logf.FromContext(ctx) if len(webhook.Webhooks) == 0 { return false, errors.New("mutatingwebhookconfiguration contains no webhooks") } @@ -129,13 +136,13 @@ func doProbe(ctx context.Context, webhook *admissionv1.MutatingWebhookConfigurat return false, err } - log.Info("Executing readiness probe on remote control plane", "url", req.URL.String()) + log.V(3).Info("Executing readiness probe on remote control plane", "url", req.URL.String()) resp, err := httpClient.Do(req) if err != nil { - log.Info("Probe failed", "error", err) + log.V(3).Info("Probe failed", "error", err) return false, err } - log.Info("Probe response", "response", resp.StatusCode) + log.V(3).Info("Probe response", "response", resp.StatusCode) return resp.StatusCode == http.StatusOK, nil } @@ -178,36 +185,37 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { // we use the Watches function instead of For(), so that we can wrap the handler so that events that cause the object to be enqueued are logged // +lint-watches:ignore: IstioRevision (not found in charts, but this is the main resource watched by this controller) - Watches(&admissionv1.MutatingWebhookConfiguration{}, objectHandler, builder.WithPredicates(ownedByRemoteIstioPredicate(mgr.GetClient()))). + Watches(&admissionv1.MutatingWebhookConfiguration{}, objectHandler, builder.WithPredicates(ownedByRemoteIstioRevisionPredicate(mgr.GetClient()))). Named("mutatingwebhookconfiguration"). Complete(reconciler.NewStandardReconciler[*admissionv1.MutatingWebhookConfiguration](r.Client, r.Reconcile)) } -func ownedByRemoteIstioPredicate(cl client.Client) predicate.Predicate { +func ownedByRemoteIstioRevisionPredicate(cl client.Client) predicate.Predicate { return predicate.Funcs{ CreateFunc: func(e event.CreateEvent) bool { - return isOwnedByRemoteIstio(cl, e.Object) + return IsOwnedByRevisionWithRemoteControlPlane(cl, e.Object) }, UpdateFunc: func(e event.UpdateEvent) bool { - return isOwnedByRemoteIstio(cl, e.ObjectNew) + return IsOwnedByRevisionWithRemoteControlPlane(cl, e.ObjectNew) }, DeleteFunc: func(e event.DeleteEvent) bool { - return isOwnedByRemoteIstio(cl, e.Object) + return IsOwnedByRevisionWithRemoteControlPlane(cl, e.Object) }, GenericFunc: func(e event.GenericEvent) bool { - return isOwnedByRemoteIstio(cl, e.Object) + return IsOwnedByRevisionWithRemoteControlPlane(cl, e.Object) }, } } -func isOwnedByRemoteIstio(cl client.Client, obj client.Object) bool { +func IsOwnedByRevisionWithRemoteControlPlane(cl client.Client, obj client.Object) bool { for _, ownerRef := range obj.GetOwnerReferences() { if ownerRef.APIVersion == v1alpha1.GroupVersion.String() && ownerRef.Kind == v1alpha1.IstioRevisionKind { rev := &v1alpha1.IstioRevision{} err := cl.Get(context.Background(), client.ObjectKey{Name: ownerRef.Name}, rev) if err != nil { - // TODO log error - } else if rev.Spec.Type == v1alpha1.IstioRevisionTypeRemote { + return false + } + if revision.IsUsingRemoteControlPlane(rev) { return true } } diff --git a/controllers/webhook/webhook_controller_test.go b/controllers/webhook/webhook_controller_test.go index 2e2b98813..054c316cf 100644 --- a/controllers/webhook/webhook_controller_test.go +++ b/controllers/webhook/webhook_controller_test.go @@ -380,7 +380,7 @@ func TestDoProbe(t *testing.T) { } } -func TestIsOwnedByRemoteIstio(t *testing.T) { +func TestIsOwnedByRevisionWithRemoteControlPlane(t *testing.T) { tests := []struct { name string ownerRefs []metav1.OwnerReference @@ -431,7 +431,7 @@ func TestIsOwnedByRemoteIstio(t *testing.T) { expected: false, }, { - name: "IstioRevision type not remote", + name: "IstioRevision not using remote profile", ownerRefs: []metav1.OwnerReference{ { APIVersion: v1alpha1.GroupVersion.String(), @@ -444,15 +444,13 @@ func TestIsOwnedByRemoteIstio(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "revision1", }, - Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, - }, + Spec: v1alpha1.IstioRevisionSpec{}, }, }, expected: false, }, { - name: "IstioRevision type is remote", + name: "IstioRevision uses remote profile", ownerRefs: []metav1.OwnerReference{ { APIVersion: v1alpha1.GroupVersion.String(), @@ -466,7 +464,9 @@ func TestIsOwnedByRemoteIstio(t *testing.T) { Name: "revision1", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeRemote, + Values: &v1alpha1.Values{ + Profile: ptr.Of("remote"), + }, }, }, }, @@ -489,7 +489,7 @@ func TestIsOwnedByRemoteIstio(t *testing.T) { }, } - result := isOwnedByRemoteIstio(cl, obj) + result := IsOwnedByRevisionWithRemoteControlPlane(cl, obj) g.Expect(result).To(Equal(tt.expected)) }) } diff --git a/docs/README.md b/docs/README.md index 367df9fe1..136954d3c 100644 --- a/docs/README.md +++ b/docs/README.md @@ -7,7 +7,6 @@ - [Istio resource](#istio-resource) - [IstioRevision resource](#istiorevision-resource) - [IstioCNI resource](#istiocni-resource) - - [RemoteIstio resource](#remoteistio-resource) - [API Reference documentation](#api-reference-documentation) - [Getting Started](#getting-started) - [Installation on OpenShift](#installation-on-openshift) @@ -107,32 +106,6 @@ spec: - kube-system ``` -### RemoteIstio resource -The `RemoteIstio` resource is used to connect the local cluster to an external Istio control plane. -When you create a `RemoteIstio` resource, the operator deploys the `istiod-remote` Helm chart. -Instead of deploying the entire Istio control plane, this chart deploys only the sidecar injector webhook, allowing you to inject the Istio proxy into your workloads and have this proxy managed by the Istio control plane running outside the cluster (typically in another Kubernetes cluster). - -The `RemoteIstio` resource is very similar to the `Istio` resource, with the most notable difference being the `istiodRemote` field in the `values` section, which allows you to configure the address of the remote Istio control plane: - -```yaml -apiVersion: sailoperator.io/v1alpha1 -kind: RemoteIstio -metadata: - name: default -spec: - version: v1.23.2 - namespace: istio-system - updateStrategy: - type: InPlace - values: - istiodRemote: - injectionPath: /inject/cluster/cluster2/net/network1 - global: - remotePilotAddress: 1.2.3.4 -``` - -For more information on how to use the `RemoteIstio` resource, refer to the [multi-cluster](#multi-cluster) section. - ## API Reference documentation The Sail Operator API reference documentation can be found [here](https://github.com/istio-ecosystem/sail-operator/tree/main/docs/api-reference/sailoperator.io.md). @@ -244,10 +217,6 @@ Sail Operator's Istio resource does not have a `spec.components` field. Instead, The CNI plugin's lifecycle is managed separately from the control plane. You will have to create a [IstioCNI resource](#istiocni-resource) to use CNI. -### istiod-remote - -The functionality of the istiod-remote chart is exposed through the [RemoteIstio resource](#remoteistio-resource). - ## Gateways [Gateways in Istio](https://istio.io/latest/docs/concepts/traffic-management/#gateways) are used to manage inbound and outbound traffic for the mesh. The Sail Operator does not deploy or manage Gateways. You can deploy a gateway either through [gateway-api](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) or through [gateway injection](https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). As you are following the gateway installation instructions, skip the step to install Istio since this is handled by the Sail Operator. @@ -877,17 +846,18 @@ In this setup there is a Primary cluster (`cluster1`) and a Remote cluster (`clu kubectl --context "${CTX_CLUSTER1}" apply -n istio-system -f https://raw.githubusercontent.com/istio-ecosystem/sail-operator/main/docs/multicluster/expose-services.yaml ``` -5. Create `RemoteIstio` resource on `cluster2`. +5. Create an `Istio` on `cluster2` with the `remote` profile. ```sh kubectl apply --context "${CTX_CLUSTER2}" -f - <1.0.0") + }) + + t.Run("invalid constraint", func(t *testing.T) { + defer func() { + if r := recover(); r == nil { + t.Error("Expected panic for invalid constraint") + } + }() + _ = Constraint("invalid_version") + }) +} diff --git a/resources/latest/profiles/remote.yaml b/resources/latest/profiles/remote.yaml new file mode 100644 index 000000000..fcd281aa0 --- /dev/null +++ b/resources/latest/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: remote diff --git a/resources/v1.21.6/profiles/remote.yaml b/resources/v1.21.6/profiles/remote.yaml new file mode 100644 index 000000000..d72fd66e4 --- /dev/null +++ b/resources/v1.21.6/profiles/remote.yaml @@ -0,0 +1,5 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/resources/v1.22.5/profiles/remote.yaml b/resources/v1.22.5/profiles/remote.yaml new file mode 100644 index 000000000..d72fd66e4 --- /dev/null +++ b/resources/v1.22.5/profiles/remote.yaml @@ -0,0 +1,5 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/resources/v1.23.2/profiles/remote.yaml b/resources/v1.23.2/profiles/remote.yaml new file mode 100644 index 000000000..d72fd66e4 --- /dev/null +++ b/resources/v1.23.2/profiles/remote.yaml @@ -0,0 +1,5 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 7ff6db158..92182f20f 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -25,6 +25,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/kube" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" + "github.com/istio-ecosystem/sail-operator/pkg/version" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" @@ -68,14 +69,14 @@ var _ = Describe("Multicluster deployment models", Ordered, func() { Describe("Primary-Remote - Multi-Network configuration", func() { // Test the Primary-Remote - Multi-Network configuration for each supported Istio version - for _, version := range supportedversion.List { - // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23, because that's the only - // version that has the istiod-remote chart. For 1.24, we need to rewrite the support for RemoteIstio. - if !(version.Version.Major() == 1 && version.Version.Minor() == 23) { + for _, v := range supportedversion.List { + // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.24+. + if version.Constraint("<1.24").Check(v.Version) { + Log(fmt.Sprintf("Skipping test, because Istio version %s does not support Primary-Remote Multi-Network configuration", v.Version)) continue } - Context(fmt.Sprintf("Istio version %s", version.Version), func() { + Context(fmt.Sprintf("Istio version %s", v.Version), func() { When("Istio resources are created in both clusters", func() { BeforeAll(func(ctx SpecContext) { Expect(k1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") @@ -115,7 +116,7 @@ spec: multiCluster: clusterName: %s network: %s` - multiclusterPrimaryYAML := fmt.Sprintf(PrimaryYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") + multiclusterPrimaryYAML := fmt.Sprintf(PrimaryYAML, v.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") Log("Istio CR Primary: ", multiclusterPrimaryYAML) Expect(k1.CreateFromString(multiclusterPrimaryYAML)).To(Succeed(), "Istio Resource creation failed on Primary Cluster") }) @@ -131,7 +132,7 @@ spec: Eventually(common.GetObject). WithArguments(ctx, clPrimary, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Primary; unexpected Condition") - Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Expect(common.GetVersionFromIstiod()).To(Equal(v.Version), "Unexpected istiod version") Success("Istiod is deployed in the namespace and Running on Primary Cluster") }) }) @@ -154,17 +155,18 @@ spec: }) }) - When("RemoteIstio is created in Remote cluster", func() { + When("Istio is created in Remote cluster", func() { BeforeAll(func(ctx SpecContext) { - RemoteYAML := ` + istioYAMLTemplate := ` apiVersion: sailoperator.io/v1alpha1 -kind: RemoteIstio +kind: Istio metadata: name: default spec: version: %s namespace: istio-system values: + profile: remote istiodRemote: injectionPath: /inject/cluster/remote/net/network2 global: @@ -173,10 +175,10 @@ spec: remotePilotAddress, err := common.GetSVCLoadBalancerAddress(ctx, clPrimary, controlPlaneNamespace, "istio-eastwestgateway") Expect(remotePilotAddress).NotTo(BeEmpty(), "Remote Pilot Address is empty") Expect(err).NotTo(HaveOccurred(), "Error getting Remote Pilot Address") - remoteIstioYAML := fmt.Sprintf(RemoteYAML, version.Name, remotePilotAddress) - Log("RemoteIstio CR: ", remoteIstioYAML) - By("Creating RemoteIstio CR on Remote Cluster") - Expect(k2.CreateFromString(remoteIstioYAML)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster") + istioYAML := fmt.Sprintf(istioYAMLTemplate, v.Name, remotePilotAddress) + Log("Istio CR: ", istioYAML) + By("Creating Istio CR on Remote Cluster") + Expect(k2.CreateFromString(istioYAML)).To(Succeed(), "Istio Resource creation failed on Remote Cluster") // Set the controlplane cluster and network for Remote namespace By("Patching the istio-system namespace on Remote Cluster") @@ -196,13 +198,13 @@ spec: To(Succeed(), "Error patching istio-system namespace") // To be able to access the remote cluster from the primary cluster, we need to create a secret in the primary cluster - // RemoteIstio resource will not be Ready until the secret is created + // Remote Istio resource will not be Ready until the secret is created // Get the internal IP of the control plane node in Remote cluster internalIPRemote, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane") Expect(internalIPRemote).NotTo(BeEmpty(), "Internal IP is empty for Remote Cluster") Expect(err).NotTo(HaveOccurred()) - // Wait for the RemoteIstio CR to be created, this can be moved to a condition verification, but the resource it not will be Ready at this point + // Wait for the remote Istio CR to be created, this can be moved to a condition verification, but the resource it not will be Ready at this point time.Sleep(5 * time.Second) // Install a remote secret in Primary cluster that provides access to the Remote cluster API server. @@ -219,11 +221,11 @@ spec: Success("Remote secret is created in Primary cluster") }) - It("updates RemoteIstio CR status to Ready", func(ctx SpecContext) { + It("updates remote Istio CR status to Ready", func(ctx SpecContext) { Eventually(common.GetObject). - WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.RemoteIstio{}). + WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.Istio{}). Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Remote; unexpected Condition") - Success("RemoteIstio CR is Ready on Remote Cluster") + Success("Istio CR is Ready on Remote Cluster") }) }) @@ -244,7 +246,7 @@ spec: When("sample apps are deployed in both clusters", func() { BeforeAll(func(ctx SpecContext) { // Deploy the sample app in both clusters - deploySampleApp("sample", version) + deploySampleApp("sample", v) Success("Sample app is deployed in both clusters") }) @@ -279,11 +281,11 @@ spec: }) }) - When("Istio CR and RemoteIstio CR are deleted in both clusters", func() { + When("Istio CR is deleted in both clusters", func() { BeforeEach(func() { - Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") - Expect(k2.WithNamespace(controlPlaneNamespace).Delete("remoteistio", istioName)).To(Succeed(), "RemoteIstio CR failed to be deleted") - Success("Istio and RemoteIstio are deleted") + Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "primary Istio CR failed to be deleted") + Expect(k2.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "remote Istio CR failed to be deleted") + Success("Primary and Remote Istio resources are deleted") }) It("removes istiod on Primary", func(ctx SpecContext) { @@ -313,6 +315,10 @@ spec: Expect(k1.WaitNamespaceDeleted("sample")).To(Succeed()) Expect(k2.WaitNamespaceDeleted("sample")).To(Succeed()) Success("Sample app is deleted in both clusters") + + // Delete the resources created by istioctl create-remote-secret + Expect(k2.Delete("ClusterRoleBinding", "istiod-clusterrole-istio-system")).To(Succeed()) + Expect(k2.Delete("ClusterRole", "istiod-clusterrole-istio-system")).To(Succeed()) }) }) } diff --git a/tests/integration/api/istio_test.go b/tests/integration/api/istio_test.go index d939f9cd3..ce7254443 100644 --- a/tests/integration/api/istio_test.go +++ b/tests/integration/api/istio_test.go @@ -137,7 +137,6 @@ var _ = Describe("Istio resource", Ordered, func() { }).Should(Succeed()) Expect(rev.Spec).To(Equal(v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: istio.Spec.Version, Namespace: istio.Spec.Namespace, Values: &v1alpha1.Values{ @@ -174,7 +173,6 @@ var _ = Describe("Istio resource", Ordered, func() { Eventually(k8sClient.Get).WithArguments(ctx, revKey, rev).Should(Succeed()) Expect(rev.GetOwnerReferences()).To(ContainElement(NewOwnerReference(istio))) Expect(rev.Spec).To(Equal(v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: istio.Spec.Version, Namespace: istio.Spec.Namespace, Values: &v1alpha1.Values{ diff --git a/tests/integration/api/istiorevision_test.go b/tests/integration/api/istiorevision_test.go index 9b17e63ca..5ceeed326 100644 --- a/tests/integration/api/istiorevision_test.go +++ b/tests/integration/api/istiorevision_test.go @@ -98,7 +98,6 @@ var _ = Describe("IstioRevision resource", Ordered, func() { Name: revName, }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: istioNamespace, Values: &v1alpha1.Values{ @@ -118,7 +117,6 @@ var _ = Describe("IstioRevision resource", Ordered, func() { Name: revName, }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: istioNamespace, Values: &v1alpha1.Values{ @@ -138,7 +136,6 @@ var _ = Describe("IstioRevision resource", Ordered, func() { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: istioNamespace, Values: &v1alpha1.Values{ @@ -158,7 +155,6 @@ var _ = Describe("IstioRevision resource", Ordered, func() { Name: "default", }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: istioNamespace, Values: &v1alpha1.Values{ @@ -182,7 +178,6 @@ var _ = Describe("IstioRevision resource", Ordered, func() { Name: revName, }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: nsName, Values: &v1alpha1.Values{ @@ -249,7 +244,6 @@ var _ = Describe("IstioRevision resource", Ordered, func() { Name: revName, }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: istioNamespace, Values: &v1alpha1.Values{ @@ -440,7 +434,6 @@ var _ = Describe("IstioRevision resource", Ordered, func() { Name: rev2Key.Name, }, Spec: v1alpha1.IstioRevisionSpec{ - Type: v1alpha1.IstioRevisionTypeLocal, Version: supportedversion.Default, Namespace: istioNamespace, Values: &v1alpha1.Values{ diff --git a/tests/integration/api/suite_test.go b/tests/integration/api/suite_test.go index f7cd9e7f4..662b9ea80 100644 --- a/tests/integration/api/suite_test.go +++ b/tests/integration/api/suite_test.go @@ -24,7 +24,6 @@ import ( "github.com/istio-ecosystem/sail-operator/controllers/istio" "github.com/istio-ecosystem/sail-operator/controllers/istiocni" "github.com/istio-ecosystem/sail-operator/controllers/istiorevision" - "github.com/istio-ecosystem/sail-operator/controllers/remoteistio" "github.com/istio-ecosystem/sail-operator/pkg/config" "github.com/istio-ecosystem/sail-operator/pkg/helm" "github.com/istio-ecosystem/sail-operator/pkg/scheme" @@ -83,7 +82,6 @@ var _ = BeforeSuite(func() { cl := mgr.GetClient() scheme := mgr.GetScheme() Expect(istio.NewReconciler(cfg, cl, scheme).SetupWithManager(mgr)).To(Succeed()) - Expect(remoteistio.NewReconciler(cfg, cl, scheme).SetupWithManager(mgr)).To(Succeed()) Expect(istiorevision.NewReconciler(cfg, cl, scheme, chartManager).SetupWithManager(mgr)).To(Succeed()) Expect(istiocni.NewReconciler(cfg, cl, scheme, chartManager).SetupWithManager(mgr)).To(Succeed()) From 0fa4f240316082a090f45d1152d68e00c4ffcd85 Mon Sep 17 00:00:00 2001 From: Sridhar Gaddam Date: Wed, 6 Nov 2024 00:14:42 +0530 Subject: [PATCH 04/11] Minor updates to Gateway docs (#466) This PR makes the following updates: 1. Updates the link to the gateway deployment to use istio.io instead of preliminary.istio.io 2. Removes the namespace reference to align with the recommendation that the gateway should be deployed in the same namespace as the application. Signed-off-by: Sridhar Gaddam --- docs/common/create-and-configure-gateways.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/common/create-and-configure-gateways.md b/docs/common/create-and-configure-gateways.md index 29e35bd75..c3db3523d 100644 --- a/docs/common/create-and-configure-gateways.md +++ b/docs/common/create-and-configure-gateways.md @@ -13,7 +13,7 @@ You can deploy gateways using either the Gateway API or Gateway Injection method Gateway Injection uses the same mechanisms as Istio sidecar injection to create a gateway from a `Deployment` resource that is paired with a `Service` resource that can be made accessible from outside the cluster. For more information, see -[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). +[Installing Gateways](https://istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](../../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace @@ -22,7 +22,7 @@ where the application is installed: 1. Create the `istio-ingressgateway` deployment and service: ```sh - $ oc apply -f -n ingress-gateway.yaml + $ oc apply -f ingress-gateway.yaml ``` 2. Configure the `bookinfo` application with the new gateway: From 9aca5c0e5014f4200b9978213ab21c3522aaafbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Wed, 6 Nov 2024 13:35:25 +0100 Subject: [PATCH 05/11] Clean up istiod-gateway-controller-istio-system ClusterRole & Binding in primary-remote test (#470) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marko Lukša --- tests/e2e/multicluster/multicluster_primaryremote_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go index 92182f20f..ef8275cb8 100644 --- a/tests/e2e/multicluster/multicluster_primaryremote_test.go +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -319,6 +319,8 @@ spec: // Delete the resources created by istioctl create-remote-secret Expect(k2.Delete("ClusterRoleBinding", "istiod-clusterrole-istio-system")).To(Succeed()) Expect(k2.Delete("ClusterRole", "istiod-clusterrole-istio-system")).To(Succeed()) + Expect(k2.Delete("ClusterRoleBinding", "istiod-gateway-controller-istio-system")).To(Succeed()) + Expect(k2.Delete("ClusterRole", "istiod-gateway-controller-istio-system")).To(Succeed()) }) }) } From 40bb9d7ffdf7a340400c66dbd6a3147c2fc23652 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Thu, 7 Nov 2024 10:53:27 +0100 Subject: [PATCH 06/11] Implement temporary hack to prevent removal of pull secrets added by external controllers (#469) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses #430 Signed-off-by: Marko Lukša --- controllers/istiocni/istiocni_controller.go | 8 ++- .../istiorevision/istiorevision_controller.go | 7 ++- pkg/predicate/predicate.go | 27 +++++++++ tests/integration/api/istiocni_test.go | 29 ++++++++++ tests/integration/api/istiorevision_test.go | 58 ++++++++++++++++--- 5 files changed, 118 insertions(+), 11 deletions(-) create mode 100644 pkg/predicate/predicate.go diff --git a/controllers/istiocni/istiocni_controller.go b/controllers/istiocni/istiocni_controller.go index d8b031b1f..23f558083 100644 --- a/controllers/istiocni/istiocni_controller.go +++ b/controllers/istiocni/istiocni_controller.go @@ -30,6 +30,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/helm" "github.com/istio-ecosystem/sail-operator/pkg/istiovalues" "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/predicate" "github.com/istio-ecosystem/sail-operator/pkg/reconciler" "github.com/istio-ecosystem/sail-operator/pkg/validation" appsv1 "k8s.io/api/apps/v1" @@ -40,6 +41,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/handler" @@ -225,7 +227,11 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { Watches(&corev1.ConfigMap{}, ownedResourceHandler). Watches(&appsv1.DaemonSet{}, ownedResourceHandler). Watches(&corev1.ResourceQuota{}, ownedResourceHandler). - Watches(&corev1.ServiceAccount{}, ownedResourceHandler). + + // We use predicate.IgnoreUpdate() so that we skip the reconciliation when a pull secret is added to the ServiceAccount. + // This is necessary so that we don't remove the newly-added secret. + // TODO: this is a temporary hack until we implement the correct solution on the Helm-render side + Watches(&corev1.ServiceAccount{}, ownedResourceHandler, builder.WithPredicates(predicate.IgnoreUpdate())). // TODO: only register NetAttachDef if the CRD is installed (may also need to watch for CRD creation) // Owns(&multusv1.NetworkAttachmentDefinition{}). diff --git a/controllers/istiorevision/istiorevision_controller.go b/controllers/istiorevision/istiorevision_controller.go index fb022237c..f845833ef 100644 --- a/controllers/istiorevision/istiorevision_controller.go +++ b/controllers/istiorevision/istiorevision_controller.go @@ -30,6 +30,7 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/errlist" "github.com/istio-ecosystem/sail-operator/pkg/helm" "github.com/istio-ecosystem/sail-operator/pkg/kube" + predicate2 "github.com/istio-ecosystem/sail-operator/pkg/predicate" "github.com/istio-ecosystem/sail-operator/pkg/reconciler" "github.com/istio-ecosystem/sail-operator/pkg/revision" "github.com/istio-ecosystem/sail-operator/pkg/validation" @@ -232,7 +233,11 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error { Watches(&appsv1.Deployment{}, ownedResourceHandler). // we don't ignore the status here because we use it to calculate the IstioRevision status Watches(&corev1.Endpoints{}, ownedResourceHandler). Watches(&corev1.Service{}, ownedResourceHandler, builder.WithPredicates(ignoreStatusChange())). - Watches(&corev1.ServiceAccount{}, ownedResourceHandler). + + // We use predicate.IgnoreUpdate() so that we skip the reconciliation when a pull secret is added to the ServiceAccount. + // This is necessary so that we don't remove the newly-added secret. + // TODO: this is a temporary hack until we implement the correct solution on the Helm-render side + Watches(&corev1.ServiceAccount{}, ownedResourceHandler, builder.WithPredicates(predicate2.IgnoreUpdate())). Watches(&rbacv1.Role{}, ownedResourceHandler). Watches(&rbacv1.RoleBinding{}, ownedResourceHandler). Watches(&policyv1.PodDisruptionBudget{}, ownedResourceHandler, builder.WithPredicates(ignoreStatusChange())). diff --git a/pkg/predicate/predicate.go b/pkg/predicate/predicate.go new file mode 100644 index 000000000..fc4f7466c --- /dev/null +++ b/pkg/predicate/predicate.go @@ -0,0 +1,27 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package predicate + +import ( + "sigs.k8s.io/controller-runtime/pkg/event" + "sigs.k8s.io/controller-runtime/pkg/predicate" +) + +// ignoreUpdate returns a predicate that ignores update events. +func IgnoreUpdate() predicate.Funcs { + return predicate.Funcs{ + UpdateFunc: func(e event.UpdateEvent) bool { return false }, + } +} diff --git a/tests/integration/api/istiocni_test.go b/tests/integration/api/istiocni_test.go index f43756ae3..c207d4b11 100644 --- a/tests/integration/api/istiocni_test.go +++ b/tests/integration/api/istiocni_test.go @@ -22,6 +22,7 @@ import ( "time" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" + "github.com/istio-ecosystem/sail-operator/pkg/enqueuelogger" "github.com/istio-ecosystem/sail-operator/pkg/kube" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" @@ -43,6 +44,8 @@ var _ = Describe("IstioCNI", Ordered, func() { SetDefaultEventuallyPollingInterval(time.Second) SetDefaultEventuallyTimeout(30 * time.Second) + enqueuelogger.LogEnqueueEvents = true + ctx := context.Background() namespace := &corev1.Namespace{ @@ -236,6 +239,32 @@ var _ = Describe("IstioCNI", Ordered, func() { }).Should(Succeed()) }) }) + + It("skips reconcile when a pull secret is added to service account", func() { + waitForInFlightReconcileToFinish() + + sa := &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: "istio-cni", + Namespace: cniNamespace, + }, + } + Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(sa), sa)).To(Succeed()) + + beforeCount := getIstioCNIReconcileCount(Default) + + By("adding pull secret to ServiceAccount") + sa.ImagePullSecrets = append(sa.ImagePullSecrets, corev1.LocalObjectReference{Name: "other-pull-secret"}) + Expect(k8sClient.Update(ctx, sa)).To(Succeed()) + + Consistently(func(g Gomega) { + afterCount := getIstioCNIReconcileCount(g) + g.Expect(afterCount).To(Equal(beforeCount)) + }, 5*time.Second).Should(Succeed(), "IstioRevision was reconciled when it shouldn't have been") + + Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(sa), sa)).To(Succeed()) + Expect(sa.ImagePullSecrets).To(ContainElement(corev1.LocalObjectReference{Name: "other-pull-secret"})) + }) }) When("the resource is deleted", func() { diff --git a/tests/integration/api/istiorevision_test.go b/tests/integration/api/istiorevision_test.go index 5ceeed326..4bfd819a3 100644 --- a/tests/integration/api/istiorevision_test.go +++ b/tests/integration/api/istiorevision_test.go @@ -315,8 +315,8 @@ var _ = Describe("IstioRevision resource", Ordered, func() { DescribeTable("reconciles owned resource", func(obj client.Object, modify func(obj client.Object), validate func(g Gomega, obj client.Object)) { By("on update", func() { - // ensure all in-flight reconcile operations finish before the test; unfortunately, sleeping seems to be the only option to achieve this - time.Sleep(5 * time.Second) + // ensure all in-flight reconcile operations finish before the test + waitForInFlightReconcileToFinish() Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(obj), obj)).To(Succeed()) @@ -380,20 +380,18 @@ var _ = Describe("IstioRevision resource", Ordered, func() { DescribeTable("skips reconcile when only the status of the owned resource is updated", func(obj client.Object, modify func(obj client.Object)) { - // wait for the in-flight reconcile operations to finish - // unfortunately, I don't see a good way to do this other than by waiting - time.Sleep(5 * time.Second) + waitForInFlightReconcileToFinish() Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(obj), obj)).To(Succeed()) - beforeCount := getReconcileCount(Default) + beforeCount := getIstioRevisionReconcileCount(Default) By("modifying object") modify(obj) Expect(k8sClient.Status().Update(ctx, obj)).To(Succeed()) Consistently(func(g Gomega) { - afterCount := getReconcileCount(g) + afterCount := getIstioRevisionReconcileCount(g) g.Expect(afterCount).To(Equal(beforeCount)) }, 5*time.Second).Should(Succeed()) }, @@ -423,6 +421,34 @@ var _ = Describe("IstioRevision resource", Ordered, func() { ), ) + It("skips reconcile when a pull secret is added to service account", func() { + waitForInFlightReconcileToFinish() + + sa := &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: "istiod-" + revName, + Namespace: istioNamespace, + }, + } + Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(sa), sa)).To(Succeed()) + + GinkgoWriter.Println("sa:", sa) + + beforeCount := getIstioRevisionReconcileCount(Default) + + By("adding pull secret to ServiceAccount") + sa.ImagePullSecrets = append(sa.ImagePullSecrets, corev1.LocalObjectReference{Name: "other-pull-secret"}) + Expect(k8sClient.Update(ctx, sa)).To(Succeed()) + + Consistently(func(g Gomega) { + afterCount := getIstioRevisionReconcileCount(g) + g.Expect(afterCount).To(Equal(beforeCount)) + }, 5*time.Second).Should(Succeed(), "IstioRevision was reconciled when it shouldn't have been") + + Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(sa), sa)).To(Succeed()) + Expect(sa.ImagePullSecrets).To(ContainElement(corev1.LocalObjectReference{Name: "other-pull-secret"})) + }) + It("supports concurrent deployment of two control planes", func() { rev2Name := revName + "2" rev2Key := client.ObjectKey{Name: rev2Name} @@ -466,7 +492,21 @@ var _ = Describe("IstioRevision resource", Ordered, func() { }) }) -func getReconcileCount(g Gomega) float64 { +func waitForInFlightReconcileToFinish() { + // wait for the in-flight reconcile operations to finish + // unfortunately, I don't see a good way to do this other than by waiting + time.Sleep(5 * time.Second) +} + +func getIstioRevisionReconcileCount(g Gomega) float64 { + return getReconcileCount(g, "istiorevision") +} + +func getIstioCNIReconcileCount(g Gomega) float64 { + return getReconcileCount(g, "istiocni") +} + +func getReconcileCount(g Gomega, controllerName string) float64 { resp, err := http.Get("http://localhost:8080/metrics") g.Expect(err).NotTo(HaveOccurred()) defer resp.Body.Close() @@ -480,7 +520,7 @@ func getReconcileCount(g Gomega) float64 { sum := float64(0) for _, metric := range mf.Metric { for _, l := range metric.Label { - if *l.Name == "controller" && *l.Value == "istiorevision" { + if *l.Name == "controller" && *l.Value == controllerName { sum += metric.GetCounter().GetValue() } } From 7bc61821ff66a18b8ec383057f9b4c90140bda44 Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Thu, 7 Nov 2024 11:09:26 +0100 Subject: [PATCH 07/11] enhancements: add SEP for revision tag support (#212) * enhancements: add SEP for revision tag support Signed-off-by: Daniel Grimm * fix user story 1 Signed-off-by: Daniel Grimm * Add link to revision tag blog, istioctl example Signed-off-by: Daniel Grimm * Explain `default` revision tag Signed-off-by: Daniel Grimm * Improve wording in API changes section Signed-off-by: Daniel Grimm * Extend implementation plan Signed-off-by: Daniel Grimm * Improve explanation of non-overlapping tags Signed-off-by: Daniel Grimm * Update SEP with new approach Signed-off-by: Daniel Grimm * Finalize SEP with latest state Signed-off-by: Daniel Grimm * Change status to Implementation Signed-off-by: Daniel Grimm --------- Signed-off-by: Daniel Grimm --- enhancements/SEP2-revision-tags.md | 136 +++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 enhancements/SEP2-revision-tags.md diff --git a/enhancements/SEP2-revision-tags.md b/enhancements/SEP2-revision-tags.md new file mode 100644 index 000000000..3ef946596 --- /dev/null +++ b/enhancements/SEP2-revision-tags.md @@ -0,0 +1,136 @@ +|Status | Authors | Created | +|---------------------------------------------------|--------------|------------| +|Implementation | @dgn | 2024-07-17 | + +# Revision Tag Support + +## Overview +Upstream Istio supports the use of [stable revision tags](https://istio.io/latest/blog/2021/revision-tags/) for multi-revision deployments and canary upgrades of Istio control planes. These tags serve as aliases for revisions and allow users to use stable revision names (e.g. `prod` or `default`), so they don't have to change their namespace and pod labels (in this case `istio.io/rev=prod` or `istio-injection=enabled`) when switching to a new version. Instead, by tagging a new revision with the correct tag and restarting their workloads, they can perform an Istio update without having to change their labels. This is especially useful in situations where the team managing the Istio control plane is separate from the teams managing the workloads. + +Revision tags can have any name, there is only one special case: revisions tagged `default` are treated as if they had an empty revision name, thereby allowing the use of the standard namespace injection label `istio-injection=enabled`. + +Each revision tag only ever points to exactly one Istio revision. Upstream, revision tags are created manually using `istioctl` and- as they only affect injection- are represented in the cluster by a MutatingWebhookConfiguration. + +Here's an example how to create a `default` revision tag that points to the `1-21-1` revision using `istioctl`: + +```bash +istioctl tag set default --revision 1-21-1 +``` + +## Goals +* Provide revision tag support in Sail Operator APIs so users don't have to use istioctl for basic revision tag operations + +## Non-goals +* Compatibility with manual revision tag creation using istioctl. There might be a way to disable the operator functionality to avoid conflicts when creating revision tags manually, but that's it - you either do it yourself or let the operator do it + +## Design + +### User Stories +1. As a user of Sail Operator's RevisionBased update strategy, I want to be able to use the `istio-injection=enabled` label on my namespaces. +1. As a platform engineer, I want my application teams to be able to use a fixed label for proxy injection without having to know which version of Istio is running in the cluster, so that I can perform upgrades in the background without the application teams having to make changes to use the new version. + +### API Changes +We will add a new CRD called `IstioRevisionTag` that consistly most of a `spec.targetRef` field and a `status` subresource. + +#### IstioRevisionTag resource +Here's an example YAML for the new resource: +```yaml +apiGroup: sailoperator.io/v1alpha1 +kind: IstioRevisionTag +metadata: + name: default +spec: + targetRef: + kind: Istio # can also be IstioRevision + name: default +status: + observedGeneration: 1 + conditions: [] + state: Healthy + istiodNamespace: istio-system + istioRevision: default-v1.24.0 +``` + +In the `spec.targetRef` field, users can specify the `IstioRevision` or `Istio` resource that the `IstioRevisionTag` references. In case of referencing a `IstioRevision` resource, the created tag will point to the exact Istio control plane revision that is represented by the `IstioRevision` resource and any update of the tag will have to be made manually by changing the `spec.targetRef` to point to another `IstioRevision`. As long as a `IstioRevisionTag` exists that references a `IstioRevision`, that `IstioRevision` will be considered "in-use" by the Sail Operator, preventing its automatic deletion during a control plane update (see details below under [InUse detection](#inuse-detection)) + +If the `spec.targetRef` is used to reference an `Istio` resource, the Sail Operator will automatically update the revision tag when a new `IstioRevision` is created as part of a version update of the `Istio` resource. In this case, the `IstioRevisionTag` resource behaves like a floating tag, always referencing the active `IstioRevision` of an `Istio` resource. When it comes to InUse detection, the existence of a floating tag will also cause the active `IstioRevision` of the `Istio` resource to be considered InUse. However, it will not prevent automatic deletion, because the reference is updated immediately when the active revision changes during an update. + +#### IstioRevisionTag Status + +The `status.state` field gives a quick hint as to whether a tag has been reconciled and is InUse ("Healthy") or if there are any problems with it. + +The `status.istiodNamespace` and `status.istioRevision` fields are used by the Sail Operator controllers to store information about the Istio control plane that is referenced by this `IstioRevisionTag`. This is especially useful when it is referencing an `Istio` resource, to see which underlying `IstioRevision` is considered referenced by the operator. + +Possible conditions for `status.conditions` are: + +##### Reconciled +`true` when the tag's helm chart has been installed successfully. Possible error reasons are: +__RefNotFound__: the resource referenced by the `spec.targetRef` field was not found +__NameAlreadyExists__: there already is an `IstioRevision` with this name +__ReconcileError__: there was an error installing the chart + +##### InUse +`true` when the `IstioRevisionTag` is referenced by a namespace or pod. Possible reasons when `false` are: +__NotReferencedByAnything__: no namespace or pod is referencing the tag +__UsageCheckFailed__: there was a problem during InUse detection + +#### InUse detection + +An `IstioRevisionTag` is considered InUse when + +* there's a pod or namespace that explicitly references the `IstioRevisionTag` in an `istio.io/rev` label +* the name of the `IstioRevisionTag` name is 'default' and there's a pod or namespace with the `istio-injection: enabled` label + +Note that a pod's `istio.io/rev` annotation will not be considered as that will always have the name of the referenced `IstioRevision` rather than the name of the `IstioRevisionTag`! The labels however are added by users and reflect usage intent, ie the user will use the name of the `IstioRevisionTag`. + +Even if the referenced `IstioRevision` of an `IstioRevisionTag` is considered InUse, that does not suffice to make the `IstioRevisionTag` considered InUse by the operator! It is considered an unused alias for an InUse `IstioRevision`. + +Additionally, the introduction of `IstioRevisionTag` also adds another condition to the InUse detection of `IstioRevision`: being referenced by an `IstioRevisionTag` will now always lead to an `IstioRevision` being considered InUse! For this, it does not matter if the `IstioRevisionTag` is itself considered InUse. + +For completeness' sake, here's an overview of the conditions for an `IstioRevision` to be considered InUse (new condition in bold): + +* there's a pod that explicitly references the `IstioRevision` in an `istio.io/rev` annotation or label +* there's a namespace that explicitly references the `IstioRevision` in an `istio.io/rev` label +* the name of the `IstioRevision` is 'default' and there's a pod or namespace with the `istio-injection: enabled` label +* __there's an `IstioRevisionTag` referencing this `IstioRevision`__ + +#### Changes to existing APIs +We will need to remove the `values.revisionTags` field from our API, which is how the upstream charts expose this feature. + +### Architecture +We will need to update the mechanism to detect revisions that are being used. Today, we only look at the `istio.io/rev` annotation's value to check which revisions are in use. But when revision tags are used, those values will point to the referenced revision instead of the tags, so we have to improve our detection mechanism. The most correct way is probably to look at the revision label on the pods and namespace that is set to configure injection. + +Revision tags and revision names can be used interchangably, so they must never overlap. Therefore, we'll need a `status` on the `IstioRevisionTag` resource that can show the user an error if the name they chose is already taken by a `IstioRevision`. Another case that needs to be covered is when an `IstioRevision` is being reconciled and it would be assigned the same name as an existing tag. In this case, reconciliation of the `IstioRevision` should fail, with an error message that tells the users why this happened, ie "the name is already used by an `IstioRevisionTag`". + +## Alternatives Considered + +### Reuse `IstioRevision`'s type field for revision tags +We could add a `type` of `Tag` to the `IstioRevision` CRD and use that to manage tags. It would have the benefit that the user could list all revisions and tags using `kubectl get istiorevisions` and name-uniqueness would be handled by Kubernetes. The disadvantage though is that revision tags share no other fields with `IstioRevision` and it would be quite confusing for users that 99% of the CRD's fields are not to be used in this case, whereas there would be one new field that is only to be used for `IstioRevisions` with type=Tag. + +Note that the `type` field has since been removed with the removal of `RemoteIstio`. + +### managing tags in Istio resource +In a previous iteration of this SEP, the tags that point to an Istio control plane would have been managed in the `Istio` revision itself, in a `spec.updateStrategy.revisionTags` field. That would have meant that they are always referencing a `Istio` resource while at the same time being copied to every underlying `IstioRevision` resource. + +### values.revisionTags +Istio has a `values.revisionTags` field that we even currently expose in our APIs. The problem is that we copy all values from the `Istio` resource to every `IstioRevision` and that means we would be facing duplicate revision tags when we create additional revisions in the Sail Operator - so, some logic would be required to work around this problem. As it is a similar amount of effort, I prefer the explicit version of adding the field to the `Istio` CRD. + +### Automatic creation of default revision tag +Previously, we had this paragraph in the Architecture section: +> When the very first `IstioRevision` is created in a cluster from a `RevisionBased` Istio resource, the Sail Operator will create a `IstioRevisionTag` with the name `default`, referencing that `IstioRevision`. This way, the standard namespace injection label `istio-injection=enabled` will work out of the box for RevisionBased deployments (see second paragraph of the [Overview](#overview)). + +We have since dropped this from the design as we faced some problems with this approach. Most importantly, it is very hard to detect whether the user is not creating a default IstioRevisionTag or we have simply not seen its creation event yet. We have discussed multiple possible solutions to this, among them usage of a 'virtual' revision tag that is not created on the API server but only exists in-memory, leading to the creation of the respective Kubernetes resources only. This would avoid a race between the operator and the user trying to create tags with the same name simultaneously. + +Due to the complexity of the task we have moved it into a separate ticket: [#439 Create default revision tag automatically](https://github.com/istio-ecosystem/sail-operator/issues/439). + +## Implementation Plan +v1alpha1 +- [ ] Initial implementation & tests (https://github.com/istio-ecosystem/sail-operator/pull/413) +- [ ] Documentation + +v1beta1 +- [ ] [#439 Create default revision tag automatically](https://github.com/istio-ecosystem/sail-operator/issues/439) +- [ ] [#471 Support revision tags in multicluster topologies](https://github.com/istio-ecosystem/sail-operator/issues/471) + +## Test Plan +Functionality will be tested in integration tests. From e195a2365394dc484a03e780c4041609ac517bce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Luk=C5=A1a?= Date: Tue, 12 Nov 2024 12:47:31 +0100 Subject: [PATCH 08/11] Remove redundant variable copying in for loops (#473) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the release of Go 1.22, it's no longer necessary to manually copy loop variables inside for loops. Signed-off-by: Marko Lukša --- common/config/.golangci.yml | 2 +- controllers/istio/istio_controller_test.go | 2 -- tests/e2e/controlplane/control_plane_test.go | 3 --- tests/e2e/dualstack/dualstack_test.go | 3 --- tests/integration/api/istio_test.go | 2 -- 5 files changed, 1 insertion(+), 11 deletions(-) diff --git a/common/config/.golangci.yml b/common/config/.golangci.yml index 2c0565492..b5a0349b9 100644 --- a/common/config/.golangci.yml +++ b/common/config/.golangci.yml @@ -18,7 +18,7 @@ linters: disable-all: true enable: - errcheck - - exportloopref + - copyloopvar - depguard - gocritic - gofumpt diff --git a/controllers/istio/istio_controller_test.go b/controllers/istio/istio_controller_test.go index f91a9db54..129acf0ea 100644 --- a/controllers/istio/istio_controller_test.go +++ b/controllers/istio/istio_controller_test.go @@ -527,7 +527,6 @@ func TestDetermineStatus(t *testing.T) { initObjs := []client.Object{istio} for _, rev := range tc.revisions { - rev := rev initObjs = append(initObjs, &rev) } @@ -728,7 +727,6 @@ func TestUpdateStatus(t *testing.T) { initObjs := []client.Object{istio} for _, rev := range tc.revisions { - rev := rev initObjs = append(initObjs, &rev) } diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index e55967f80..c3e9dcc1e 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -117,9 +117,6 @@ metadata: Describe("given Istio version", func() { for _, version := range supportedversion.List { - // Note: This var version is needed to avoid the closure of the loop - version := version - Context(version.Name, func() { BeforeAll(func() { Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go index 9a7768438..15ccb350d 100644 --- a/tests/e2e/dualstack/dualstack_test.go +++ b/tests/e2e/dualstack/dualstack_test.go @@ -70,9 +70,6 @@ var _ = Describe("DualStack configuration ", Ordered, func() { Describe("for supported versions", func() { for _, version := range supportedversion.List { - // Note: This var version is needed to avoid the closure of the loop - version := version - // The minimum supported version is 1.23 (and above) if version.Version.LessThan(semver.MustParse("1.23.0")) { continue diff --git a/tests/integration/api/istio_test.go b/tests/integration/api/istio_test.go index ce7254443..20084d952 100644 --- a/tests/integration/api/istio_test.go +++ b/tests/integration/api/istio_test.go @@ -222,8 +222,6 @@ var _ = Describe("Istio resource", Ordered, func() { }) for _, withWorkloads := range []bool{true, false} { - withWorkloads := withWorkloads - Context(generateContextName(withWorkloads), func() { if withWorkloads { BeforeAll(func() { From 45079f424fcec2d863ecb9501026e2fa14f5dc79 Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:18:32 +0100 Subject: [PATCH 09/11] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#468) Signed-off-by: openshift-service-mesh-bot --- .devcontainer/devcontainer.json | 2 +- .github/workflows/update-deps.yaml | 2 +- Makefile.core.mk | 8 +- api/v1alpha1/istio_types.go | 10 +- api/v1alpha1/istiocni_types.go | 10 +- api/v1alpha1/istiorevision_types.go | 6 +- api/v1alpha1/values_types.gen.go | 13 +- api/v1alpha1/zz_generated.deepcopy.go | 15 + .../extensions.istio.io_wasmplugins.yaml | 8 +- .../networking.istio.io_destinationrules.yaml | 24 +- .../networking.istio.io_envoyfilters.yaml | 8 +- .../networking.istio.io_gateways.yaml | 24 +- .../networking.istio.io_proxyconfigs.yaml | 8 +- .../networking.istio.io_serviceentries.yaml | 24 +- .../networking.istio.io_sidecars.yaml | 24 +- .../networking.istio.io_virtualservices.yaml | 24 +- .../networking.istio.io_workloadentries.yaml | 24 +- .../networking.istio.io_workloadgroups.yaml | 24 +- .../sailoperator.clusterserviceversion.yaml | 62 +- .../manifests/sailoperator.io_istiocnis.yaml | 10 +- .../sailoperator.io_istiorevisions.yaml | 25 +- bundle/manifests/sailoperator.io_istios.yaml | 29 +- ...curity.istio.io_authorizationpolicies.yaml | 16 +- ...security.istio.io_peerauthentications.yaml | 16 +- ...urity.istio.io_requestauthentications.yaml | 16 +- .../telemetry.istio.io_telemetries.yaml | 26 +- .../crds/extensions.istio.io_wasmplugins.yaml | 8 +- .../networking.istio.io_destinationrules.yaml | 24 +- .../networking.istio.io_envoyfilters.yaml | 8 +- chart/crds/networking.istio.io_gateways.yaml | 24 +- .../networking.istio.io_proxyconfigs.yaml | 8 +- .../networking.istio.io_serviceentries.yaml | 24 +- chart/crds/networking.istio.io_sidecars.yaml | 24 +- .../networking.istio.io_virtualservices.yaml | 24 +- .../networking.istio.io_workloadentries.yaml | 24 +- .../networking.istio.io_workloadgroups.yaml | 24 +- chart/crds/sailoperator.io_istiocnis.yaml | 10 +- .../crds/sailoperator.io_istiorevisions.yaml | 25 +- chart/crds/sailoperator.io_istios.yaml | 29 +- ...curity.istio.io_authorizationpolicies.yaml | 16 +- ...security.istio.io_peerauthentications.yaml | 16 +- ...urity.istio.io_requestauthentications.yaml | 16 +- .../crds/telemetry.istio.io_telemetries.yaml | 26 +- chart/samples/istio-sample-kubernetes.yaml | 2 +- chart/samples/istio-sample-openshift.yaml | 2 +- chart/samples/istiocni-sample.yaml | 2 +- chart/values.yaml | 4 +- common/.commonfiles.sha | 2 +- common/scripts/setup_env.sh | 2 +- docs/api-reference/sailoperator.io.md | 13 +- go.mod | 64 +- go.sum | 120 +- resources/latest/charts/base/Chart.yaml | 4 +- .../latest/charts/base/files/crd-all.gen.yaml | 266 +- .../profile-compatibility-version-1.24.yaml | 8 + resources/latest/charts/cni/Chart.yaml | 4 +- .../profile-compatibility-version-1.24.yaml | 8 + .../charts/cni/templates/configmap-cni.yaml | 5 + .../charts/cni/templates/daemonset.yaml | 5 +- resources/latest/charts/cni/values.yaml | 5 +- resources/latest/charts/gateway/Chart.yaml | 4 +- .../profile-compatibility-version-1.24.yaml | 8 + resources/latest/charts/istiod/Chart.yaml | 4 +- .../profile-compatibility-version-1.24.yaml | 8 + .../latest/charts/istiod/files/waypoint.yaml | 4 + resources/latest/charts/istiod/values.yaml | 2 +- resources/latest/charts/ztunnel/Chart.yaml | 4 +- .../profile-compatibility-version-1.24.yaml | 8 + .../charts/ztunnel/templates/_helpers.tpl | 1 + .../charts/ztunnel/templates/daemonset.yaml | 2 +- .../latest/charts/ztunnel/templates/rbac.yaml | 14 +- resources/latest/charts/ztunnel/values.yaml | 6 +- resources/latest/profiles/default.yaml | 2 + resources/v1.22.6/charts/base/Chart.yaml | 10 + resources/v1.22.6/charts/base/README.md | 35 + .../v1.22.6/charts/base/crds/crd-all.gen.yaml | 13051 ++++++++++++++ .../charts/base/files/profile-ambient.yaml | 21 + .../profile-compatibility-version-1.20.yaml | 24 + .../profile-compatibility-version-1.21.yaml | 17 + .../charts/base/files/profile-demo.yaml | 73 + .../base/files/profile-openshift-ambient.yaml | 34 + .../charts/base/files/profile-openshift.yaml | 20 + .../charts/base/files/profile-preview.yaml | 13 + .../charts/base/files/profile-stable.yaml | 8 + .../v1.22.6/charts/base/templates/NOTES.txt | 5 + .../v1.22.6/charts/base/templates/crds.yaml | 3 + .../charts/base/templates/default.yaml | 54 + .../charts/base/templates/endpoints.yaml | 23 + .../base/templates/reader-serviceaccount.yaml | 16 + .../charts/base/templates/services.yaml | 37 + .../templates/validatingadmissionpolicy.yaml | 51 + .../charts/base/templates/zzz_profile.yaml | 43 + resources/v1.22.6/charts/base/values.yaml | 40 + resources/v1.22.6/charts/cni/Chart.yaml | 11 + resources/v1.22.6/charts/cni/README.md | 65 + .../charts/cni/files/profile-ambient.yaml | 21 + .../profile-compatibility-version-1.20.yaml | 24 + .../profile-compatibility-version-1.21.yaml | 17 + .../charts/cni/files/profile-demo.yaml | 73 + .../cni/files/profile-openshift-ambient.yaml | 34 + .../charts/cni/files/profile-openshift.yaml | 20 + .../charts/cni/files/profile-preview.yaml | 13 + .../charts/cni/files/profile-stable.yaml | 8 + .../v1.22.6/charts/cni/templates/NOTES.txt | 5 + .../charts/cni/templates/clusterrole.yaml | 74 + .../cni/templates/clusterrolebinding.yaml | 58 + .../charts/cni/templates/configmap-cni.yaml | 34 + .../charts/cni/templates/daemonset.yaml | 234 + .../network-attachment-definition.yaml | 9 + .../charts/cni/templates/resourcequota.yaml | 16 + .../charts/cni/templates/serviceaccount.yaml | 17 + .../charts/cni/templates/zzz_profile.yaml | 43 + resources/v1.22.6/charts/cni/values.yaml | 141 + resources/v1.22.6/charts/gateway/Chart.yaml | 12 + resources/v1.22.6/charts/gateway/README.md | 170 + .../charts/gateway/files/profile-ambient.yaml | 21 + .../profile-compatibility-version-1.20.yaml | 24 + .../profile-compatibility-version-1.21.yaml | 17 + .../charts/gateway/files/profile-demo.yaml | 73 + .../files/profile-openshift-ambient.yaml | 34 + .../gateway/files/profile-openshift.yaml | 20 + .../charts/gateway/files/profile-preview.yaml | 13 + .../charts/gateway/files/profile-stable.yaml | 8 + .../charts/gateway/templates/NOTES.txt | 9 + .../charts/gateway/templates/_helpers.tpl | 61 + .../charts/gateway/templates/deployment.yaml | 111 + .../v1.22.6/charts/gateway/templates/hpa.yaml | 38 + .../templates/poddisruptionbudget.yaml | 16 + .../charts/gateway/templates/role.yaml | 33 + .../charts/gateway/templates/service.yaml | 64 + .../gateway/templates/serviceaccount.yaml | 13 + .../charts/gateway/templates/zzz_profile.yaml | 43 + .../v1.22.6/charts/gateway/values.schema.json | 301 + resources/v1.22.6/charts/gateway/values.yaml | 152 + resources/v1.22.6/charts/istiod/Chart.yaml | 12 + resources/v1.22.6/charts/istiod/README.md | 73 + .../files/gateway-injection-template.yaml | 250 + .../charts/istiod/files/grpc-agent.yaml | 310 + .../charts/istiod/files/grpc-simple.yaml | 65 + .../istiod/files/injection-template.yaml | 542 + .../charts/istiod/files/kube-gateway.yaml | 356 + .../charts/istiod/files/profile-ambient.yaml | 21 + .../profile-compatibility-version-1.20.yaml | 24 + .../profile-compatibility-version-1.21.yaml | 17 + .../charts/istiod/files/profile-demo.yaml | 73 + .../files/profile-openshift-ambient.yaml | 34 + .../istiod/files/profile-openshift.yaml | 20 + .../charts/istiod/files/profile-preview.yaml | 13 + .../charts/istiod/files/profile-stable.yaml | 8 + .../v1.22.6/charts/istiod/files/waypoint.yaml | 307 + .../v1.22.6/charts/istiod/templates/NOTES.txt | 75 + .../charts/istiod/templates/_helpers.tpl | 23 + .../charts/istiod/templates/autoscale.yaml | 39 + .../charts/istiod/templates/clusterrole.yaml | 157 + .../istiod/templates/clusterrolebinding.yaml | 33 + .../istiod/templates/configmap-jwks.yaml | 14 + .../charts/istiod/templates/configmap.yaml | 112 + .../charts/istiod/templates/deployment.yaml | 257 + .../templates/istiod-injector-configmap.yaml | 80 + .../istiod/templates/mutatingwebhook.yaml | 158 + .../istiod/templates/poddisruptionbudget.yaml | 25 + .../istiod/templates/reader-clusterrole.yaml | 60 + .../templates/reader-clusterrolebinding.yaml | 15 + .../istiod/templates/revision-tags.yaml | 141 + .../v1.22.6/charts/istiod/templates/role.yaml | 30 + .../charts/istiod/templates/rolebinding.yaml | 16 + .../charts/istiod/templates/service.yaml | 50 + .../istiod/templates/serviceaccount.yaml | 19 + .../templates/validatingadmissionpolicy.yaml | 57 + .../validatingwebhookconfiguration.yaml | 63 + .../charts/istiod/templates/zzz_profile.yaml | 43 + resources/v1.22.6/charts/istiod/values.yaml | 514 + resources/v1.22.6/charts/ztunnel/Chart.yaml | 11 + resources/v1.22.6/charts/ztunnel/README.md | 50 + .../charts/ztunnel/files/profile-ambient.yaml | 21 + .../profile-compatibility-version-1.20.yaml | 24 + .../profile-compatibility-version-1.21.yaml | 17 + .../charts/ztunnel/files/profile-demo.yaml | 73 + .../files/profile-openshift-ambient.yaml | 34 + .../ztunnel/files/profile-openshift.yaml | 20 + .../charts/ztunnel/files/profile-preview.yaml | 13 + .../charts/ztunnel/files/profile-stable.yaml | 8 + .../charts/ztunnel/templates/NOTES.txt | 5 + .../charts/ztunnel/templates/_helpers.tpl | 10 + .../charts/ztunnel/templates/daemonset.yaml | 166 + .../charts/ztunnel/templates/rbac.yaml | 52 + .../charts/ztunnel/templates/zzz_profile.yaml | 43 + resources/v1.22.6/charts/ztunnel/values.yaml | 87 + resources/v1.22.6/profiles/ambient.yaml | 5 + resources/v1.22.6/profiles/default.yaml | 10 + resources/v1.22.6/profiles/demo.yaml | 5 + resources/v1.22.6/profiles/empty.yaml | 5 + .../v1.22.6/profiles/openshift-ambient.yaml | 5 + resources/v1.22.6/profiles/openshift.yaml | 5 + resources/v1.22.6/profiles/preview.yaml | 8 + resources/v1.22.6/profiles/remote.yaml | 5 + resources/v1.22.6/profiles/stable.yaml | 5 + resources/v1.23.3/charts/base/Chart.yaml | 10 + resources/v1.23.3/charts/base/README.md | 35 + .../v1.23.3/charts/base/crds/crd-all.gen.yaml | 14331 ++++++++++++++++ .../charts/base/files/profile-ambient.yaml | 20 + .../profile-compatibility-version-1.20.yaml | 26 + .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../charts/base/files/profile-demo.yaml | 73 + .../base/files/profile-openshift-ambient.yaml | 33 + .../charts/base/files/profile-openshift.yaml | 20 + .../charts/base/files/profile-preview.yaml | 13 + .../charts/base/files/profile-stable.yaml | 8 + .../v1.23.3/charts/base/templates/NOTES.txt | 5 + .../v1.23.3/charts/base/templates/crds.yaml | 3 + .../charts/base/templates/default.yaml | 54 + .../charts/base/templates/endpoints.yaml | 23 + .../base/templates/reader-serviceaccount.yaml | 16 + .../charts/base/templates/services.yaml | 37 + .../templates/validatingadmissionpolicy.yaml | 51 + .../charts/base/templates/zzz_profile.yaml | 43 + resources/v1.23.3/charts/base/values.yaml | 42 + resources/v1.23.3/charts/cni/Chart.yaml | 11 + resources/v1.23.3/charts/cni/README.md | 65 + .../charts/cni/files/profile-ambient.yaml | 20 + .../profile-compatibility-version-1.20.yaml | 26 + .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../charts/cni/files/profile-demo.yaml | 73 + .../cni/files/profile-openshift-ambient.yaml | 33 + .../charts/cni/files/profile-openshift.yaml | 20 + .../charts/cni/files/profile-preview.yaml | 13 + .../charts/cni/files/profile-stable.yaml | 8 + .../v1.23.3/charts/cni/templates/NOTES.txt | 5 + .../v1.23.3/charts/cni/templates/_helpers.tpl | 8 + .../charts/cni/templates/clusterrole.yaml | 74 + .../cni/templates/clusterrolebinding.yaml | 60 + .../charts/cni/templates/configmap-cni.yaml | 29 + .../charts/cni/templates/daemonset.yaml | 208 + .../network-attachment-definition.yaml | 9 + .../charts/cni/templates/resourcequota.yaml | 16 + .../charts/cni/templates/serviceaccount.yaml | 17 + .../charts/cni/templates/zzz_profile.yaml | 43 + resources/v1.23.3/charts/cni/values.yaml | 144 + resources/v1.23.3/charts/gateway/Chart.yaml | 12 + resources/v1.23.3/charts/gateway/README.md | 170 + .../charts/gateway/files/profile-ambient.yaml | 20 + .../profile-compatibility-version-1.20.yaml | 26 + .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../charts/gateway/files/profile-demo.yaml | 73 + .../files/profile-openshift-ambient.yaml | 33 + .../gateway/files/profile-openshift.yaml | 20 + .../charts/gateway/files/profile-preview.yaml | 13 + .../charts/gateway/files/profile-stable.yaml | 8 + .../charts/gateway/templates/NOTES.txt | 9 + .../charts/gateway/templates/_helpers.tpl | 51 + .../charts/gateway/templates/deployment.yaml | 115 + .../v1.23.3/charts/gateway/templates/hpa.yaml | 38 + .../templates/poddisruptionbudget.yaml | 16 + .../charts/gateway/templates/role.yaml | 33 + .../charts/gateway/templates/service.yaml | 64 + .../gateway/templates/serviceaccount.yaml | 13 + .../charts/gateway/templates/zzz_profile.yaml | 43 + .../v1.23.3/charts/gateway/values.schema.json | 301 + resources/v1.23.3/charts/gateway/values.yaml | 154 + .../v1.23.3/charts/istiod-remote/Chart.yaml | 11 + .../v1.23.3/charts/istiod-remote/NOTES.txt | 4 + .../files/gateway-injection-template.yaml | 250 + .../files/injection-template.yaml | 545 + .../istiod-remote/files/profile-ambient.yaml | 20 + .../profile-compatibility-version-1.20.yaml | 26 + .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../istiod-remote/files/profile-demo.yaml | 73 + .../files/profile-openshift-ambient.yaml | 33 + .../files/profile-openshift.yaml | 20 + .../istiod-remote/files/profile-preview.yaml | 13 + .../istiod-remote/files/profile-stable.yaml | 8 + .../istiod-remote/templates/_helpers.tpl | 23 + .../istiod-remote/templates/clusterrole.yaml | 163 + .../templates/clusterrolebinding.yaml | 35 + .../istiod-remote/templates/configmap.yaml | 112 + .../istiod-remote/templates/default.yaml | 56 + ...aultrevisionvalidatingadmissionpolicy.yaml | 53 + .../istiod-remote/templates/endpoints.yaml | 23 + .../templates/istiod-injector-configmap.yaml | 80 + .../templates/mutatingwebhook.yaml | 158 + .../templates/reader-clusterrole.yaml | 60 + .../templates/reader-clusterrolebinding.yaml | 15 + .../templates/reader-serviceaccount.yaml | 16 + .../charts/istiod-remote/templates/role.yaml | 32 + .../istiod-remote/templates/rolebinding.yaml | 18 + .../templates/serviceaccount.yaml | 21 + .../istiod-remote/templates/services.yaml | 37 + .../templates/validatingadmissionpolicy.yaml | 59 + .../validatingwebhookconfiguration.yaml | 65 + .../istiod-remote/templates/zzz_profile.yaml | 43 + .../v1.23.3/charts/istiod-remote/values.yaml | 444 + resources/v1.23.3/charts/istiod/Chart.yaml | 12 + resources/v1.23.3/charts/istiod/README.md | 73 + .../files/gateway-injection-template.yaml | 250 + .../charts/istiod/files/grpc-agent.yaml | 310 + .../charts/istiod/files/grpc-simple.yaml | 65 + .../istiod/files/injection-template.yaml | 545 + .../charts/istiod/files/kube-gateway.yaml | 346 + .../charts/istiod/files/profile-ambient.yaml | 20 + .../profile-compatibility-version-1.20.yaml | 26 + .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../charts/istiod/files/profile-demo.yaml | 73 + .../files/profile-openshift-ambient.yaml | 33 + .../istiod/files/profile-openshift.yaml | 20 + .../charts/istiod/files/profile-preview.yaml | 13 + .../charts/istiod/files/profile-stable.yaml | 8 + .../v1.23.3/charts/istiod/files/waypoint.yaml | 312 + .../v1.23.3/charts/istiod/templates/NOTES.txt | 79 + .../charts/istiod/templates/_helpers.tpl | 23 + .../charts/istiod/templates/autoscale.yaml | 39 + .../charts/istiod/templates/clusterrole.yaml | 161 + .../istiod/templates/clusterrolebinding.yaml | 33 + .../istiod/templates/configmap-jwks.yaml | 14 + .../charts/istiod/templates/configmap.yaml | 112 + .../charts/istiod/templates/deployment.yaml | 271 + .../templates/istiod-injector-configmap.yaml | 80 + .../istiod/templates/mutatingwebhook.yaml | 158 + .../istiod/templates/poddisruptionbudget.yaml | 25 + .../istiod/templates/reader-clusterrole.yaml | 60 + .../templates/reader-clusterrolebinding.yaml | 15 + .../istiod/templates/revision-tags.yaml | 141 + .../v1.23.3/charts/istiod/templates/role.yaml | 30 + .../charts/istiod/templates/rolebinding.yaml | 16 + .../charts/istiod/templates/service.yaml | 50 + .../istiod/templates/serviceaccount.yaml | 19 + .../templates/validatingadmissionpolicy.yaml | 57 + .../validatingwebhookconfiguration.yaml | 63 + .../charts/istiod/templates/zzz_profile.yaml | 43 + resources/v1.23.3/charts/istiod/values.yaml | 525 + resources/v1.23.3/charts/ztunnel/Chart.yaml | 11 + resources/v1.23.3/charts/ztunnel/README.md | 50 + .../charts/ztunnel/files/profile-ambient.yaml | 20 + .../profile-compatibility-version-1.20.yaml | 26 + .../profile-compatibility-version-1.21.yaml | 23 + .../profile-compatibility-version-1.22.yaml | 16 + .../charts/ztunnel/files/profile-demo.yaml | 73 + .../files/profile-openshift-ambient.yaml | 33 + .../ztunnel/files/profile-openshift.yaml | 20 + .../charts/ztunnel/files/profile-preview.yaml | 13 + .../charts/ztunnel/files/profile-stable.yaml | 8 + .../charts/ztunnel/templates/NOTES.txt | 5 + .../charts/ztunnel/templates/_helpers.tpl | 10 + .../charts/ztunnel/templates/daemonset.yaml | 187 + .../charts/ztunnel/templates/rbac.yaml | 69 + .../charts/ztunnel/templates/zzz_profile.yaml | 43 + resources/v1.23.3/charts/ztunnel/values.yaml | 95 + resources/v1.23.3/profiles/ambient.yaml | 5 + resources/v1.23.3/profiles/default.yaml | 10 + resources/v1.23.3/profiles/demo.yaml | 5 + resources/v1.23.3/profiles/empty.yaml | 5 + .../v1.23.3/profiles/openshift-ambient.yaml | 5 + resources/v1.23.3/profiles/openshift.yaml | 5 + resources/v1.23.3/profiles/preview.yaml | 8 + resources/v1.23.3/profiles/remote.yaml | 5 + resources/v1.23.3/profiles/stable.yaml | 5 + versions.yaml | 35 +- 361 files changed, 46068 insertions(+), 382 deletions(-) create mode 100644 resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml create mode 100644 resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml create mode 100644 resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml create mode 100644 resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml create mode 100644 resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml create mode 100644 resources/latest/charts/ztunnel/templates/_helpers.tpl create mode 100644 resources/v1.22.6/charts/base/Chart.yaml create mode 100644 resources/v1.22.6/charts/base/README.md create mode 100644 resources/v1.22.6/charts/base/crds/crd-all.gen.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-ambient.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-demo.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-openshift.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-preview.yaml create mode 100644 resources/v1.22.6/charts/base/files/profile-stable.yaml create mode 100644 resources/v1.22.6/charts/base/templates/NOTES.txt create mode 100644 resources/v1.22.6/charts/base/templates/crds.yaml create mode 100644 resources/v1.22.6/charts/base/templates/default.yaml create mode 100644 resources/v1.22.6/charts/base/templates/endpoints.yaml create mode 100644 resources/v1.22.6/charts/base/templates/reader-serviceaccount.yaml create mode 100644 resources/v1.22.6/charts/base/templates/services.yaml create mode 100644 resources/v1.22.6/charts/base/templates/validatingadmissionpolicy.yaml create mode 100644 resources/v1.22.6/charts/base/templates/zzz_profile.yaml create mode 100644 resources/v1.22.6/charts/base/values.yaml create mode 100644 resources/v1.22.6/charts/cni/Chart.yaml create mode 100644 resources/v1.22.6/charts/cni/README.md create mode 100644 resources/v1.22.6/charts/cni/files/profile-ambient.yaml create mode 100644 resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.22.6/charts/cni/files/profile-demo.yaml create mode 100644 resources/v1.22.6/charts/cni/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.22.6/charts/cni/files/profile-openshift.yaml create mode 100644 resources/v1.22.6/charts/cni/files/profile-preview.yaml create mode 100644 resources/v1.22.6/charts/cni/files/profile-stable.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/NOTES.txt create mode 100644 resources/v1.22.6/charts/cni/templates/clusterrole.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/clusterrolebinding.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/configmap-cni.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/daemonset.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/network-attachment-definition.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/resourcequota.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/serviceaccount.yaml create mode 100644 resources/v1.22.6/charts/cni/templates/zzz_profile.yaml create mode 100644 resources/v1.22.6/charts/cni/values.yaml create mode 100644 resources/v1.22.6/charts/gateway/Chart.yaml create mode 100644 resources/v1.22.6/charts/gateway/README.md create mode 100644 resources/v1.22.6/charts/gateway/files/profile-ambient.yaml create mode 100644 resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.22.6/charts/gateway/files/profile-demo.yaml create mode 100644 resources/v1.22.6/charts/gateway/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.22.6/charts/gateway/files/profile-openshift.yaml create mode 100644 resources/v1.22.6/charts/gateway/files/profile-preview.yaml create mode 100644 resources/v1.22.6/charts/gateway/files/profile-stable.yaml create mode 100644 resources/v1.22.6/charts/gateway/templates/NOTES.txt create mode 100644 resources/v1.22.6/charts/gateway/templates/_helpers.tpl create mode 100644 resources/v1.22.6/charts/gateway/templates/deployment.yaml create mode 100644 resources/v1.22.6/charts/gateway/templates/hpa.yaml create mode 100644 resources/v1.22.6/charts/gateway/templates/poddisruptionbudget.yaml create mode 100644 resources/v1.22.6/charts/gateway/templates/role.yaml create mode 100644 resources/v1.22.6/charts/gateway/templates/service.yaml create mode 100644 resources/v1.22.6/charts/gateway/templates/serviceaccount.yaml create mode 100644 resources/v1.22.6/charts/gateway/templates/zzz_profile.yaml create mode 100644 resources/v1.22.6/charts/gateway/values.schema.json create mode 100644 resources/v1.22.6/charts/gateway/values.yaml create mode 100644 resources/v1.22.6/charts/istiod/Chart.yaml create mode 100644 resources/v1.22.6/charts/istiod/README.md create mode 100644 resources/v1.22.6/charts/istiod/files/gateway-injection-template.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/grpc-agent.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/grpc-simple.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/injection-template.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/kube-gateway.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-ambient.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-demo.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-openshift.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-preview.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/profile-stable.yaml create mode 100644 resources/v1.22.6/charts/istiod/files/waypoint.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/NOTES.txt create mode 100644 resources/v1.22.6/charts/istiod/templates/_helpers.tpl create mode 100644 resources/v1.22.6/charts/istiod/templates/autoscale.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/clusterrole.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/clusterrolebinding.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/configmap-jwks.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/configmap.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/deployment.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/istiod-injector-configmap.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/mutatingwebhook.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/poddisruptionbudget.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/reader-clusterrole.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/reader-clusterrolebinding.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/revision-tags.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/role.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/rolebinding.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/service.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/serviceaccount.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/validatingadmissionpolicy.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/validatingwebhookconfiguration.yaml create mode 100644 resources/v1.22.6/charts/istiod/templates/zzz_profile.yaml create mode 100644 resources/v1.22.6/charts/istiod/values.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/Chart.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/README.md create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-ambient.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-demo.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-openshift.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-preview.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/files/profile-stable.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/templates/NOTES.txt create mode 100644 resources/v1.22.6/charts/ztunnel/templates/_helpers.tpl create mode 100644 resources/v1.22.6/charts/ztunnel/templates/daemonset.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/templates/rbac.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/templates/zzz_profile.yaml create mode 100644 resources/v1.22.6/charts/ztunnel/values.yaml create mode 100644 resources/v1.22.6/profiles/ambient.yaml create mode 100644 resources/v1.22.6/profiles/default.yaml create mode 100644 resources/v1.22.6/profiles/demo.yaml create mode 100644 resources/v1.22.6/profiles/empty.yaml create mode 100644 resources/v1.22.6/profiles/openshift-ambient.yaml create mode 100644 resources/v1.22.6/profiles/openshift.yaml create mode 100644 resources/v1.22.6/profiles/preview.yaml create mode 100644 resources/v1.22.6/profiles/remote.yaml create mode 100644 resources/v1.22.6/profiles/stable.yaml create mode 100644 resources/v1.23.3/charts/base/Chart.yaml create mode 100644 resources/v1.23.3/charts/base/README.md create mode 100644 resources/v1.23.3/charts/base/crds/crd-all.gen.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-ambient.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-demo.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-openshift.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-preview.yaml create mode 100644 resources/v1.23.3/charts/base/files/profile-stable.yaml create mode 100644 resources/v1.23.3/charts/base/templates/NOTES.txt create mode 100644 resources/v1.23.3/charts/base/templates/crds.yaml create mode 100644 resources/v1.23.3/charts/base/templates/default.yaml create mode 100644 resources/v1.23.3/charts/base/templates/endpoints.yaml create mode 100644 resources/v1.23.3/charts/base/templates/reader-serviceaccount.yaml create mode 100644 resources/v1.23.3/charts/base/templates/services.yaml create mode 100644 resources/v1.23.3/charts/base/templates/validatingadmissionpolicy.yaml create mode 100644 resources/v1.23.3/charts/base/templates/zzz_profile.yaml create mode 100644 resources/v1.23.3/charts/base/values.yaml create mode 100644 resources/v1.23.3/charts/cni/Chart.yaml create mode 100644 resources/v1.23.3/charts/cni/README.md create mode 100644 resources/v1.23.3/charts/cni/files/profile-ambient.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-demo.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-openshift.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-preview.yaml create mode 100644 resources/v1.23.3/charts/cni/files/profile-stable.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/NOTES.txt create mode 100644 resources/v1.23.3/charts/cni/templates/_helpers.tpl create mode 100644 resources/v1.23.3/charts/cni/templates/clusterrole.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/clusterrolebinding.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/configmap-cni.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/daemonset.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/network-attachment-definition.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/resourcequota.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/serviceaccount.yaml create mode 100644 resources/v1.23.3/charts/cni/templates/zzz_profile.yaml create mode 100644 resources/v1.23.3/charts/cni/values.yaml create mode 100644 resources/v1.23.3/charts/gateway/Chart.yaml create mode 100644 resources/v1.23.3/charts/gateway/README.md create mode 100644 resources/v1.23.3/charts/gateway/files/profile-ambient.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-demo.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-openshift.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-preview.yaml create mode 100644 resources/v1.23.3/charts/gateway/files/profile-stable.yaml create mode 100644 resources/v1.23.3/charts/gateway/templates/NOTES.txt create mode 100644 resources/v1.23.3/charts/gateway/templates/_helpers.tpl create mode 100644 resources/v1.23.3/charts/gateway/templates/deployment.yaml create mode 100644 resources/v1.23.3/charts/gateway/templates/hpa.yaml create mode 100644 resources/v1.23.3/charts/gateway/templates/poddisruptionbudget.yaml create mode 100644 resources/v1.23.3/charts/gateway/templates/role.yaml create mode 100644 resources/v1.23.3/charts/gateway/templates/service.yaml create mode 100644 resources/v1.23.3/charts/gateway/templates/serviceaccount.yaml create mode 100644 resources/v1.23.3/charts/gateway/templates/zzz_profile.yaml create mode 100644 resources/v1.23.3/charts/gateway/values.schema.json create mode 100644 resources/v1.23.3/charts/gateway/values.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/Chart.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/NOTES.txt create mode 100644 resources/v1.23.3/charts/istiod-remote/files/gateway-injection-template.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/injection-template.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-ambient.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-demo.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-openshift.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-preview.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/files/profile-stable.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/_helpers.tpl create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/clusterrole.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/clusterrolebinding.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/configmap.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/default.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/endpoints.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/istiod-injector-configmap.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/mutatingwebhook.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrole.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrolebinding.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/reader-serviceaccount.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/role.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/rolebinding.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/serviceaccount.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/services.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/validatingadmissionpolicy.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/templates/zzz_profile.yaml create mode 100644 resources/v1.23.3/charts/istiod-remote/values.yaml create mode 100644 resources/v1.23.3/charts/istiod/Chart.yaml create mode 100644 resources/v1.23.3/charts/istiod/README.md create mode 100644 resources/v1.23.3/charts/istiod/files/gateway-injection-template.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/grpc-agent.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/grpc-simple.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/injection-template.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/kube-gateway.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-ambient.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-demo.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-openshift.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-preview.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/profile-stable.yaml create mode 100644 resources/v1.23.3/charts/istiod/files/waypoint.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/NOTES.txt create mode 100644 resources/v1.23.3/charts/istiod/templates/_helpers.tpl create mode 100644 resources/v1.23.3/charts/istiod/templates/autoscale.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/clusterrole.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/clusterrolebinding.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/configmap-jwks.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/configmap.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/deployment.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/istiod-injector-configmap.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/mutatingwebhook.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/poddisruptionbudget.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/reader-clusterrole.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/reader-clusterrolebinding.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/revision-tags.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/role.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/rolebinding.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/service.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/serviceaccount.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/validatingadmissionpolicy.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/validatingwebhookconfiguration.yaml create mode 100644 resources/v1.23.3/charts/istiod/templates/zzz_profile.yaml create mode 100644 resources/v1.23.3/charts/istiod/values.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/Chart.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/README.md create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-ambient.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-demo.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-openshift-ambient.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-openshift.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-preview.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/files/profile-stable.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/templates/NOTES.txt create mode 100644 resources/v1.23.3/charts/ztunnel/templates/_helpers.tpl create mode 100644 resources/v1.23.3/charts/ztunnel/templates/daemonset.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/templates/rbac.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/templates/zzz_profile.yaml create mode 100644 resources/v1.23.3/charts/ztunnel/values.yaml create mode 100644 resources/v1.23.3/profiles/ambient.yaml create mode 100644 resources/v1.23.3/profiles/default.yaml create mode 100644 resources/v1.23.3/profiles/demo.yaml create mode 100644 resources/v1.23.3/profiles/empty.yaml create mode 100644 resources/v1.23.3/profiles/openshift-ambient.yaml create mode 100644 resources/v1.23.3/profiles/openshift.yaml create mode 100644 resources/v1.23.3/profiles/preview.yaml create mode 100644 resources/v1.23.3/profiles/remote.yaml create mode 100644 resources/v1.23.3/profiles/stable.yaml diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 15251b657..1462dc2fe 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90", + "image": "gcr.io/istio-testing/build-tools:master-a23bc8ebbbe49b421f8e876eda5dcab008e850a1", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml index 335c3f7a9..27676d4e7 100644 --- a/.github/workflows/update-deps.yaml +++ b/.github/workflows/update-deps.yaml @@ -23,7 +23,7 @@ jobs: update-deps: runs-on: ubuntu-latest container: - image: gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90 + image: gcr.io/istio-testing/build-tools:master-a23bc8ebbbe49b421f8e876eda5dcab008e850a1 options: --entrypoint '' steps: diff --git a/Makefile.core.mk b/Makefile.core.mk index 24cc1bd1b..51b5f80b1 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -470,10 +470,10 @@ ISTIOCTL ?= $(LOCALBIN)/istioctl ## Tool Versions OPERATOR_SDK_VERSION ?= v1.37.0 HELM_VERSION ?= v3.16.2 -CONTROLLER_TOOLS_VERSION ?= v0.16.4 -OPM_VERSION ?= v1.47.0 -OLM_VERSION ?= 0.28.0 -GITLEAKS_VERSION ?= v8.21.1 +CONTROLLER_TOOLS_VERSION ?= v0.16.5 +OPM_VERSION ?= v1.48.0 +OLM_VERSION ?= v0.30.0 +GITLEAKS_VERSION ?= v8.21.2 ISTIOCTL_VERSION ?= 1.23.0 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index a4c267f73..7ae3909fb 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -37,10 +37,10 @@ const ( type IstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest - // +kubebuilder:default=v1.23.2 + // Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.3 Version string `json:"version"` // Defines the update strategy to use when the version in the Istio CR is updated. @@ -261,7 +261,7 @@ type Istio struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.23.3", namespace: "istio-system", updateStrategy: {type:"InPlace"}} Spec IstioSpec `json:"spec,omitempty"` Status IstioStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go index 3aefa2829..401d7d95e 100644 --- a/api/v1alpha1/istiocni_types.go +++ b/api/v1alpha1/istiocni_types.go @@ -28,10 +28,10 @@ const ( type IstioCNISpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest - // +kubebuilder:default=v1.23.2 + // Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.3 Version string `json:"version"` // +sail:profile @@ -177,7 +177,7 @@ type IstioCNI struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.2", namespace: "istio-cni"} + // +kubebuilder:default={version: "v1.23.3", namespace: "istio-cni"} Spec IstioCNISpec `json:"spec,omitempty"` Status IstioCNIStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go index fb9c765cf..c6bf7fdc0 100644 --- a/api/v1alpha1/istiorevision_types.go +++ b/api/v1alpha1/istiorevision_types.go @@ -30,9 +30,9 @@ const ( type IstioRevisionSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest + // Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest Version string `json:"version"` // Namespace to which the Istio components should be installed. diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go index c2eea6744..387be6977 100644 --- a/api/v1alpha1/values_types.gen.go +++ b/api/v1alpha1/values_types.gen.go @@ -1811,6 +1811,10 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { // or if the authorization service has returned a HTTP 5xx error. // Default is false and the request will be rejected with "Forbidden" response. FailOpen *bool `json:"failOpen,omitempty"` + // If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + // If true, recalculate routes with the new ExtAuthZ added/removed headers. + // Default is false + ClearRouteCache *bool `json:"clearRouteCache,omitempty"` // Sets the HTTP status that is returned to the client when there is a network error to the authorization service. // The default status is "403" (HTTP Forbidden). StatusOnError *string `json:"statusOnError,omitempty"` @@ -1899,6 +1903,10 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationGrpcProvider struct { // or if the authorization service has returned a HTTP 5xx error. // Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. FailOpen *bool `json:"failOpen,omitempty"` + // If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + // If true, recalculate routes with the new ExtAuthZ added/removed headers. + // Default is false + ClearRouteCache *bool `json:"clearRouteCache,omitempty"` // Sets the HTTP status that is returned to the client when there is a network error to the authorization service. // The default status is "403" (HTTP Forbidden). StatusOnError *string `json:"statusOnError,omitempty"` @@ -2334,7 +2342,7 @@ type MeshConfigExtensionProviderGrpcService struct { // Optional. Specifies the timeout for the GRPC request. Timeout *metav1.Duration `json:"timeout,omitempty"` // Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for - // scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + // scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to // be injected. InitialMetadata []*MeshConfigExtensionProviderHttpHeader `json:"initialMetadata,omitempty"` } @@ -2722,6 +2730,9 @@ type Tracing struct { // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS // mode as `ISTIO_MUTUAL`. TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"` + // Determines whether or not trace spans generated by Envoy will include Istio specific tags. + // By default Istio specific tags are included in the trace spans. + EnableIstioTags *bool `json:"enableIstioTags,omitempty"` } // SDS defines secret discovery service(SDS) configuration to be used by the proxy. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index a4261bfe4..61c5cc51c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -1935,6 +1935,11 @@ func (in *MeshConfigExtensionProviderEnvoyExternalAuthorizationGrpcProvider) Dee *out = new(bool) **out = **in } + if in.ClearRouteCache != nil { + in, out := &in.ClearRouteCache, &out.ClearRouteCache + *out = new(bool) + **out = **in + } if in.StatusOnError != nil { in, out := &in.StatusOnError, &out.StatusOnError *out = new(string) @@ -1985,6 +1990,11 @@ func (in *MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider) Dee *out = new(bool) **out = **in } + if in.ClearRouteCache != nil { + in, out := &in.ClearRouteCache, &out.ClearRouteCache + *out = new(bool) + **out = **in + } if in.StatusOnError != nil { in, out := &in.StatusOnError, &out.StatusOnError *out = new(string) @@ -4708,6 +4718,11 @@ func (in *Tracing) DeepCopyInto(out *Tracing) { *out = new(ClientTLSSettings) (*in).DeepCopyInto(*out) } + if in.EnableIstioTags != nil { + in, out := &in.EnableIstioTags, &out.EnableIstioTags + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tracing. diff --git a/bundle/manifests/extensions.istio.io_wasmplugins.yaml b/bundle/manifests/extensions.istio.io_wasmplugins.yaml index 22803cb14..98dec3286 100644 --- a/bundle/manifests/extensions.istio.io_wasmplugins.yaml +++ b/bundle/manifests/extensions.istio.io_wasmplugins.yaml @@ -305,6 +305,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -321,8 +327,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_destinationrules.yaml b/bundle/manifests/networking.istio.io_destinationrules.yaml index 998f51d54..92a9d4be0 100644 --- a/bundle/manifests/networking.istio.io_destinationrules.yaml +++ b/bundle/manifests/networking.istio.io_destinationrules.yaml @@ -1884,6 +1884,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1900,8 +1906,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -3801,6 +3805,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -3817,8 +3827,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -5718,6 +5726,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -5734,8 +5748,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_envoyfilters.yaml b/bundle/manifests/networking.istio.io_envoyfilters.yaml index f2181cfc6..af202fd69 100644 --- a/bundle/manifests/networking.istio.io_envoyfilters.yaml +++ b/bundle/manifests/networking.istio.io_envoyfilters.yaml @@ -345,6 +345,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -361,8 +367,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_gateways.yaml b/bundle/manifests/networking.istio.io_gateways.yaml index c6307b2ed..c4d5dbd8a 100644 --- a/bundle/manifests/networking.istio.io_gateways.yaml +++ b/bundle/manifests/networking.istio.io_gateways.yaml @@ -196,6 +196,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -212,8 +218,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -425,6 +429,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -441,8 +451,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -654,6 +662,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -670,8 +684,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_proxyconfigs.yaml b/bundle/manifests/networking.istio.io_proxyconfigs.yaml index a9a4ab728..a5b7a373b 100644 --- a/bundle/manifests/networking.istio.io_proxyconfigs.yaml +++ b/bundle/manifests/networking.istio.io_proxyconfigs.yaml @@ -89,6 +89,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -105,8 +111,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_serviceentries.yaml b/bundle/manifests/networking.istio.io_serviceentries.yaml index dab356fed..2f35395b6 100644 --- a/bundle/manifests/networking.istio.io_serviceentries.yaml +++ b/bundle/manifests/networking.istio.io_serviceentries.yaml @@ -258,6 +258,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -274,8 +280,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -551,6 +555,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -567,8 +577,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -844,6 +852,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -860,8 +874,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_sidecars.yaml b/bundle/manifests/networking.istio.io_sidecars.yaml index dd6b32b37..38a3a21fa 100644 --- a/bundle/manifests/networking.istio.io_sidecars.yaml +++ b/bundle/manifests/networking.istio.io_sidecars.yaml @@ -503,6 +503,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -519,8 +525,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -1041,6 +1045,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1057,8 +1067,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -1579,6 +1587,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1595,8 +1609,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_virtualservices.yaml b/bundle/manifests/networking.istio.io_virtualservices.yaml index b07b71aa1..30590fe26 100644 --- a/bundle/manifests/networking.istio.io_virtualservices.yaml +++ b/bundle/manifests/networking.istio.io_virtualservices.yaml @@ -1003,6 +1003,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1019,8 +1025,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -2039,6 +2043,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -2055,8 +2065,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -3075,6 +3083,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -3091,8 +3105,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_workloadentries.yaml b/bundle/manifests/networking.istio.io_workloadentries.yaml index 8ff93a410..5a42a45b6 100644 --- a/bundle/manifests/networking.istio.io_workloadentries.yaml +++ b/bundle/manifests/networking.istio.io_workloadentries.yaml @@ -121,6 +121,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -137,8 +143,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -277,6 +281,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -293,8 +303,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -433,6 +441,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -449,8 +463,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/networking.istio.io_workloadgroups.yaml b/bundle/manifests/networking.istio.io_workloadgroups.yaml index 486c0e689..44679f157 100644 --- a/bundle/manifests/networking.istio.io_workloadgroups.yaml +++ b/bundle/manifests/networking.istio.io_workloadgroups.yaml @@ -249,6 +249,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -265,8 +271,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -535,6 +539,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -551,8 +561,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -821,6 +829,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -837,8 +851,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 445147a99..5ac188adf 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -16,7 +16,7 @@ metadata: "inactiveRevisionDeletionGracePeriodSeconds": 30, "type": "InPlace" }, - "version": "v1.23.2" + "version": "v1.23.3" } }, { @@ -27,14 +27,14 @@ metadata: }, "spec": { "namespace": "istio-cni", - "version": "v1.23.2" + "version": "v1.23.3" } } ] capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-31T13:13:52Z" + createdAt: "2024-11-12T12:00:34Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -160,12 +160,14 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.3 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.6 - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest @@ -198,12 +200,14 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.3 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.6 - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest @@ -244,12 +248,14 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.3 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.6 - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest @@ -300,10 +306,12 @@ spec: This version of the operator supports the following Istio versions: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - - latest (bb972b54) + - latest (b1ee384c) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -527,10 +535,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + images.latest.cni: gcr.io/istio-testing/install-cni:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + images.latest.istiod: gcr.io/istio-testing/pilot:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -539,10 +547,18 @@ spec: images.v1_22_5.istiod: docker.io/istio/pilot:1.22.5 images.v1_22_5.proxy: docker.io/istio/proxyv2:1.22.5 images.v1_22_5.ztunnel: docker.io/istio/ztunnel:1.22.5 + images.v1_22_6.cni: docker.io/istio/install-cni:1.22.6 + images.v1_22_6.istiod: docker.io/istio/pilot:1.22.6 + images.v1_22_6.proxy: docker.io/istio/proxyv2:1.22.6 + images.v1_22_6.ztunnel: docker.io/istio/ztunnel:1.22.6 images.v1_23_2.cni: docker.io/istio/install-cni:1.23.2 images.v1_23_2.istiod: docker.io/istio/pilot:1.23.2 images.v1_23_2.proxy: docker.io/istio/proxyv2:1.23.2 images.v1_23_2.ztunnel: docker.io/istio/ztunnel:1.23.2 + images.v1_23_3.cni: docker.io/istio/install-cni:1.23.3 + images.v1_23_3.istiod: docker.io/istio/pilot:1.23.3 + images.v1_23_3.proxy: docker.io/istio/proxyv2:1.23.3 + images.v1_23_3.ztunnel: docker.io/istio/ztunnel:1.23.3 kubectl.kubernetes.io/default-container: sail-operator labels: app.kubernetes.io/created-by: sailoperator @@ -695,13 +711,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + - image: gcr.io/istio-testing/install-cni:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + - image: gcr.io/istio-testing/pilot:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + - image: gcr.io/istio-testing/proxyv2:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + - image: gcr.io/istio-testing/ztunnel:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni @@ -719,6 +735,14 @@ spec: name: v1_22_5.proxy - image: docker.io/istio/ztunnel:1.22.5 name: v1_22_5.ztunnel + - image: docker.io/istio/install-cni:1.22.6 + name: v1_22_6.cni + - image: docker.io/istio/pilot:1.22.6 + name: v1_22_6.istiod + - image: docker.io/istio/proxyv2:1.22.6 + name: v1_22_6.proxy + - image: docker.io/istio/ztunnel:1.22.6 + name: v1_22_6.ztunnel - image: docker.io/istio/install-cni:1.23.2 name: v1_23_2.cni - image: docker.io/istio/pilot:1.23.2 @@ -727,4 +751,12 @@ spec: name: v1_23_2.proxy - image: docker.io/istio/ztunnel:1.23.2 name: v1_23_2.ztunnel + - image: docker.io/istio/install-cni:1.23.3 + name: v1_23_3.cni + - image: docker.io/istio/pilot:1.23.3 + name: v1_23_3.istiod + - image: docker.io/istio/proxyv2:1.23.3 + name: v1_23_3.proxy + - image: docker.io/istio/ztunnel:1.23.3 + name: v1_23_3.ztunnel version: 0.2.0 diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index ed0915fcd..b1c824fab 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null name: istiocnis.sailoperator.io spec: @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.2 + version: v1.23.3 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -1411,12 +1411,14 @@ spec: type: object type: object version: - default: v1.23.2 + default: v1.23.3 description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - latest diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 29d602daf..aa11b9131 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null name: istiorevisions.sailoperator.io spec: @@ -3784,6 +3784,11 @@ spec: description: Address of the Datadog Agent. type: string type: object + enableIstioTags: + description: |- + Determines whether or not trace spans generated by Envoy will include Istio specific tags. + By default Istio specific tags are included in the trace spans. + type: boolean lightstep: description: |- Use a Lightstep tracer. @@ -4273,6 +4278,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the gRPC API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, @@ -4342,6 +4353,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the HTTP API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the user request will be allowed even if the communication with the authorization service has failed, @@ -4911,7 +4928,7 @@ spec: initialMetadata: description: |- Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for - scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to be injected. items: properties: @@ -9372,9 +9389,11 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - latest diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 61a82141b..8bffa1a16 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.16.5 creationTimestamp: null name: istios.sailoperator.io spec: @@ -80,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.2 + version: v1.23.3 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -3853,6 +3853,11 @@ spec: description: Address of the Datadog Agent. type: string type: object + enableIstioTags: + description: |- + Determines whether or not trace spans generated by Envoy will include Istio specific tags. + By default Istio specific tags are included in the trace spans. + type: boolean lightstep: description: |- Use a Lightstep tracer. @@ -4342,6 +4347,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the gRPC API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, @@ -4411,6 +4422,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the HTTP API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the user request will be allowed even if the communication with the authorization service has failed, @@ -4980,7 +4997,7 @@ spec: initialMetadata: description: |- Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for - scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to be injected. items: properties: @@ -9439,12 +9456,14 @@ spec: type: object type: object version: - default: v1.23.2 + default: v1.23.3 description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - latest diff --git a/bundle/manifests/security.istio.io_authorizationpolicies.yaml b/bundle/manifests/security.istio.io_authorizationpolicies.yaml index bebc1b2c6..7f450f367 100644 --- a/bundle/manifests/security.istio.io_authorizationpolicies.yaml +++ b/bundle/manifests/security.istio.io_authorizationpolicies.yaml @@ -321,6 +321,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -337,8 +343,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -674,6 +678,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -690,8 +700,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/security.istio.io_peerauthentications.yaml b/bundle/manifests/security.istio.io_peerauthentications.yaml index 0d9ad5524..e0393c18e 100644 --- a/bundle/manifests/security.istio.io_peerauthentications.yaml +++ b/bundle/manifests/security.istio.io_peerauthentications.yaml @@ -127,6 +127,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -143,8 +149,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -286,6 +290,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -302,8 +312,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/security.istio.io_requestauthentications.yaml b/bundle/manifests/security.istio.io_requestauthentications.yaml index 2d1b0ba00..52135c199 100644 --- a/bundle/manifests/security.istio.io_requestauthentications.yaml +++ b/bundle/manifests/security.istio.io_requestauthentications.yaml @@ -255,6 +255,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -271,8 +277,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -542,6 +546,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -558,8 +568,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/bundle/manifests/telemetry.istio.io_telemetries.yaml b/bundle/manifests/telemetry.istio.io_telemetries.yaml index ec3cf100a..9a897b7b9 100644 --- a/bundle/manifests/telemetry.istio.io_telemetries.yaml +++ b/bundle/manifests/telemetry.istio.io_telemetries.yaml @@ -354,6 +354,11 @@ spec: description: Controls span reporting. nullable: true type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: @@ -416,6 +421,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -432,8 +443,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -802,6 +811,11 @@ spec: description: Controls span reporting. nullable: true type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: @@ -864,6 +878,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -880,8 +900,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/extensions.istio.io_wasmplugins.yaml b/chart/crds/extensions.istio.io_wasmplugins.yaml index 1acec4b67..2067b280d 100644 --- a/chart/crds/extensions.istio.io_wasmplugins.yaml +++ b/chart/crds/extensions.istio.io_wasmplugins.yaml @@ -305,6 +305,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -321,8 +327,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_destinationrules.yaml b/chart/crds/networking.istio.io_destinationrules.yaml index b00eef64e..451f7352d 100644 --- a/chart/crds/networking.istio.io_destinationrules.yaml +++ b/chart/crds/networking.istio.io_destinationrules.yaml @@ -1883,6 +1883,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1899,8 +1905,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -3800,6 +3804,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -3816,8 +3826,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -5717,6 +5725,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -5733,8 +5747,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_envoyfilters.yaml b/chart/crds/networking.istio.io_envoyfilters.yaml index e2be5b942..70ed2f9fb 100644 --- a/chart/crds/networking.istio.io_envoyfilters.yaml +++ b/chart/crds/networking.istio.io_envoyfilters.yaml @@ -344,6 +344,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -360,8 +366,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_gateways.yaml b/chart/crds/networking.istio.io_gateways.yaml index 0d29b562f..ece08a057 100644 --- a/chart/crds/networking.istio.io_gateways.yaml +++ b/chart/crds/networking.istio.io_gateways.yaml @@ -195,6 +195,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -211,8 +217,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -424,6 +428,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -440,8 +450,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -653,6 +661,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -669,8 +683,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_proxyconfigs.yaml b/chart/crds/networking.istio.io_proxyconfigs.yaml index 7432a7498..e7e64d508 100644 --- a/chart/crds/networking.istio.io_proxyconfigs.yaml +++ b/chart/crds/networking.istio.io_proxyconfigs.yaml @@ -88,6 +88,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -104,8 +110,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_serviceentries.yaml b/chart/crds/networking.istio.io_serviceentries.yaml index a87b1c236..de8ff0350 100644 --- a/chart/crds/networking.istio.io_serviceentries.yaml +++ b/chart/crds/networking.istio.io_serviceentries.yaml @@ -257,6 +257,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -273,8 +279,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -550,6 +554,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -566,8 +576,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -843,6 +851,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -859,8 +873,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_sidecars.yaml b/chart/crds/networking.istio.io_sidecars.yaml index 560e8fbb1..3ea0e2665 100644 --- a/chart/crds/networking.istio.io_sidecars.yaml +++ b/chart/crds/networking.istio.io_sidecars.yaml @@ -502,6 +502,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -518,8 +524,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -1040,6 +1044,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1056,8 +1066,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -1578,6 +1586,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1594,8 +1608,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_virtualservices.yaml b/chart/crds/networking.istio.io_virtualservices.yaml index 8a49cfad3..39e31750c 100644 --- a/chart/crds/networking.istio.io_virtualservices.yaml +++ b/chart/crds/networking.istio.io_virtualservices.yaml @@ -1002,6 +1002,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -1018,8 +1024,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -2038,6 +2042,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -2054,8 +2064,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -3074,6 +3082,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -3090,8 +3104,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_workloadentries.yaml b/chart/crds/networking.istio.io_workloadentries.yaml index cf682cd2d..f0053326f 100644 --- a/chart/crds/networking.istio.io_workloadentries.yaml +++ b/chart/crds/networking.istio.io_workloadentries.yaml @@ -120,6 +120,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -136,8 +142,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -276,6 +280,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -292,8 +302,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -432,6 +440,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -448,8 +462,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/networking.istio.io_workloadgroups.yaml b/chart/crds/networking.istio.io_workloadgroups.yaml index 9f06ab833..2758ad3ab 100644 --- a/chart/crds/networking.istio.io_workloadgroups.yaml +++ b/chart/crds/networking.istio.io_workloadgroups.yaml @@ -248,6 +248,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -264,8 +270,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -534,6 +538,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -550,8 +560,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -820,6 +828,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -836,8 +850,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index 0cd39dcad..262b35231 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.16.5 name: istiocnis.sailoperator.io spec: group: sailoperator.io @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.2 + version: v1.23.3 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -1411,12 +1411,14 @@ spec: type: object type: object version: - default: v1.23.2 + default: v1.23.3 description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - latest diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index 5708dbe4d..ce7fe35da 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.16.5 name: istiorevisions.sailoperator.io spec: group: sailoperator.io @@ -3784,6 +3784,11 @@ spec: description: Address of the Datadog Agent. type: string type: object + enableIstioTags: + description: |- + Determines whether or not trace spans generated by Envoy will include Istio specific tags. + By default Istio specific tags are included in the trace spans. + type: boolean lightstep: description: |- Use a Lightstep tracer. @@ -4273,6 +4278,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the gRPC API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, @@ -4342,6 +4353,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the HTTP API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the user request will be allowed even if the communication with the authorization service has failed, @@ -4911,7 +4928,7 @@ spec: initialMetadata: description: |- Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for - scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to be injected. items: properties: @@ -9372,9 +9389,11 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - latest diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index 51b234a6d..283b866bf 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.4 + controller-gen.kubebuilder.io/version: v0.16.5 name: istios.sailoperator.io spec: group: sailoperator.io @@ -80,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.2 + version: v1.23.3 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -3853,6 +3853,11 @@ spec: description: Address of the Datadog Agent. type: string type: object + enableIstioTags: + description: |- + Determines whether or not trace spans generated by Envoy will include Istio specific tags. + By default Istio specific tags are included in the trace spans. + type: boolean lightstep: description: |- Use a Lightstep tracer. @@ -4342,6 +4347,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the gRPC API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, @@ -4411,6 +4422,12 @@ spec: implements the Envoy ext_authz filter authorization check service using the HTTP API. properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean failOpen: description: |- If true, the user request will be allowed even if the communication with the authorization service has failed, @@ -4980,7 +4997,7 @@ spec: initialMetadata: description: |- Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for - scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to be injected. items: properties: @@ -9439,12 +9456,14 @@ spec: type: object type: object version: - default: v1.23.2 + default: v1.23.3 description: |- Defines the version of Istio to install. - Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - latest diff --git a/chart/crds/security.istio.io_authorizationpolicies.yaml b/chart/crds/security.istio.io_authorizationpolicies.yaml index 0f72f71e1..a83d6ee0c 100644 --- a/chart/crds/security.istio.io_authorizationpolicies.yaml +++ b/chart/crds/security.istio.io_authorizationpolicies.yaml @@ -320,6 +320,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -336,8 +342,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -673,6 +677,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -689,8 +699,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/security.istio.io_peerauthentications.yaml b/chart/crds/security.istio.io_peerauthentications.yaml index 3d6895db5..329efc01f 100644 --- a/chart/crds/security.istio.io_peerauthentications.yaml +++ b/chart/crds/security.istio.io_peerauthentications.yaml @@ -126,6 +126,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -142,8 +148,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -285,6 +289,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -301,8 +311,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/security.istio.io_requestauthentications.yaml b/chart/crds/security.istio.io_requestauthentications.yaml index 53fe59d32..2d6729688 100644 --- a/chart/crds/security.istio.io_requestauthentications.yaml +++ b/chart/crds/security.istio.io_requestauthentications.yaml @@ -254,6 +254,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -270,8 +276,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -541,6 +545,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -557,8 +567,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/crds/telemetry.istio.io_telemetries.yaml b/chart/crds/telemetry.istio.io_telemetries.yaml index c858b2995..beaa1537b 100644 --- a/chart/crds/telemetry.istio.io_telemetries.yaml +++ b/chart/crds/telemetry.istio.io_telemetries.yaml @@ -353,6 +353,11 @@ spec: description: Controls span reporting. nullable: true type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: @@ -415,6 +420,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -431,8 +442,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -801,6 +810,11 @@ spec: description: Controls span reporting. nullable: true type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: @@ -863,6 +877,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -879,8 +899,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/chart/samples/istio-sample-kubernetes.yaml b/chart/samples/istio-sample-kubernetes.yaml index 19cbe8862..954b09b6f 100644 --- a/chart/samples/istio-sample-kubernetes.yaml +++ b/chart/samples/istio-sample-kubernetes.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.2 + version: v1.23.3 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istio-sample-openshift.yaml b/chart/samples/istio-sample-openshift.yaml index 69044c36d..260fc1ebd 100644 --- a/chart/samples/istio-sample-openshift.yaml +++ b/chart/samples/istio-sample-openshift.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.2 + version: v1.23.3 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istiocni-sample.yaml b/chart/samples/istiocni-sample.yaml index 61ace75cc..12921495a 100644 --- a/chart/samples/istiocni-sample.yaml +++ b/chart/samples/istiocni-sample.yaml @@ -3,5 +3,5 @@ kind: IstioCNI metadata: name: default spec: - version: v1.23.2 + version: v1.23.3 namespace: istio-cni diff --git a/chart/values.yaml b/chart/values.yaml index 9b565f5da..eaa244e9a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -18,10 +18,12 @@ csv: This version of the operator supports the following Istio versions: + - v1.23.3 - v1.23.2 + - v1.22.6 - v1.22.5 - v1.21.6 - - latest (bb972b54) + - latest (b1ee384c) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index aebb24f3e..2917e989a 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -82dc68a737b72d394c344d4fd71ff9e9ebf01852 +f8a57ea3b40f8c109df7176c0407f74571c0ddf7 diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index c63f1fa33..32ae36cbc 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90 + IMAGE_VERSION=master-a23bc8ebbbe49b421f8e876eda5dcab008e850a1 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index 6fdbe9628..743378852 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -506,7 +506,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.2 \} | | +| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.3 \} | | | `status` _[IstioStatus](#istiostatus)_ | | | | @@ -528,7 +528,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.23.2 \} | | +| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.23.3 \} | | | `status` _[IstioCNIStatus](#istiocnistatus)_ | | | | @@ -624,7 +624,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | v1.23.3 | Enum: [v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview remote stable] | | `namespace` _string_ | Namespace to which the Istio CNI component should be installed. | istio-cni | | | `values` _[CNIValues](#cnivalues)_ | Defines the values to be passed to the Helm charts when installing Istio CNI. | | | @@ -852,7 +852,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | | Enum: [v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -888,7 +888,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | v1.23.3 | Enum: [v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview remote stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. Note that this field is immutable. | istio-system | | @@ -1291,6 +1291,7 @@ _Appears in:_ | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | | `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | | | `failOpen` _boolean_ | If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. | | | +| `clearRouteCache` _boolean_ | If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. If true, recalculate routes with the new ExtAuthZ added/removed headers. Default is false | | | | `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | | | `includeRequestBodyInCheck` _[MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody](#meshconfigextensionproviderenvoyexternalauthorizationrequestbody)_ | If set, the client request body will be included in the authorization request sent to the authorization service. | | | @@ -1313,6 +1314,7 @@ _Appears in:_ | `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | | | `pathPrefix` _string_ | Sets a prefix to the value of authorization request header *Path*. For example, setting this to "/check" for an original user request at path "/admin" will cause the authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". | | | | `failOpen` _boolean_ | If true, the user request will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false and the request will be rejected with "Forbidden" response. | | | +| `clearRouteCache` _boolean_ | If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. If true, recalculate routes with the new ExtAuthZ added/removed headers. Default is false | | | | `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | | | `includeHeadersInCheck` _string array_ | DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. | | | | `includeRequestHeadersInCheck` _string array_ | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | @@ -2811,6 +2813,7 @@ _Appears in:_ | `openCensusAgent` _[TracingOpenCensusAgent](#tracingopencensusagent)_ | Use an OpenCensus tracer exporting to an OpenCensus agent. | | | | `sampling` _float_ | The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0. | | | | `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | +| `enableIstioTags` _boolean_ | Determines whether or not trace spans generated by Envoy will include Istio specific tags. By default Istio specific tags are included in the trace spans. | | | diff --git a/go.mod b/go.mod index 78bb6deca..6dda0fdd9 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,8 @@ module github.com/istio-ecosystem/sail-operator -go 1.22.0 +go 1.23 + +toolchain go1.23.2 // Client-go does not handle different versions of mergo due to some breaking changes - use the matching version // This replacement is aligned with istio/istio's go.mod @@ -13,24 +15,24 @@ require ( github.com/google/go-cmp v0.6.0 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 github.com/magiconair/properties v1.8.7 - github.com/onsi/ginkgo/v2 v2.20.1 - github.com/onsi/gomega v1.34.2 - github.com/prometheus/common v0.60.0 + github.com/onsi/ginkgo/v2 v2.20.2 + github.com/onsi/gomega v1.35.0 + github.com/prometheus/common v0.60.1 github.com/stretchr/testify v1.9.0 golang.org/x/mod v0.20.0 - golang.org/x/text v0.18.0 + golang.org/x/text v0.19.0 golang.org/x/tools v0.24.0 gomodules.xyz/jsonpatch/v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.16.1 - istio.io/client-go v1.24.0-alpha.0.0.20241018201953-b3ca3b2a6ef6 - istio.io/istio v0.0.0-20241022213331-bb972b546125 - k8s.io/api v0.31.1 - k8s.io/apiextensions-apiserver v0.31.1 - k8s.io/apimachinery v0.31.1 - k8s.io/cli-runtime v0.31.1 - k8s.io/client-go v0.31.1 - sigs.k8s.io/controller-runtime v0.19.0 + helm.sh/helm/v3 v3.16.2 + istio.io/client-go v1.24.0-alpha.0.0.20241108002529-3f60d583a76f + istio.io/istio v0.0.0-20241111230131-b1ee384c11f0 + k8s.io/api v0.31.2 + k8s.io/apiextensions-apiserver v0.31.2 + k8s.io/apimachinery v0.31.2 + k8s.io/cli-runtime v0.31.2 + k8s.io/client-go v0.31.2 + sigs.k8s.io/controller-runtime v0.19.1 ) require ( @@ -65,7 +67,7 @@ require ( github.com/evanphx/json-patch v5.9.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect - github.com/fatih/color v1.17.0 // indirect + github.com/fatih/color v1.18.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect @@ -126,7 +128,7 @@ require ( github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.20.4 // indirect + github.com/prometheus/client_golang v1.20.5 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/rivo/uniseg v0.4.6 // indirect @@ -143,35 +145,35 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - go.opentelemetry.io/otel v1.30.0 // indirect - go.opentelemetry.io/otel/metric v1.30.0 // indirect - go.opentelemetry.io/otel/trace v1.30.0 // indirect + go.opentelemetry.io/otel v1.31.0 // indirect + go.opentelemetry.io/otel/metric v1.31.0 // indirect + go.opentelemetry.io/otel/trace v1.31.0 // indirect go.starlark.net v0.0.0-20231121155337-90ade8b19d09 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.27.0 // indirect + golang.org/x/crypto v0.28.0 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect - golang.org/x/net v0.29.0 // indirect + golang.org/x/net v0.30.0 // indirect golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.25.0 // indirect - golang.org/x/term v0.24.0 // indirect - golang.org/x/time v0.6.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/time v0.7.0 // indirect golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241021214115-324edc3d5d38 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect google.golang.org/grpc v1.67.1 // indirect - google.golang.org/protobuf v1.34.2 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools/v3 v3.5.1 // indirect - istio.io/api v1.24.0-alpha.0.0.20241018201654-7c8ec5b5ab72 // indirect - k8s.io/apiserver v0.31.1 // indirect - k8s.io/component-base v0.31.1 // indirect + istio.io/api v1.24.0-alpha.0.0.20241108002229-2cc3366cdb03 // indirect + k8s.io/apiserver v0.31.2 // indirect + k8s.io/component-base v0.31.2 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect - k8s.io/kubectl v0.31.1 // indirect + k8s.io/kubectl v0.31.2 // indirect k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect oras.land/oras-go v1.2.5 // indirect sigs.k8s.io/controller-tools v0.15.0 // indirect diff --git a/go.sum b/go.sum index 98405b31d..5329da4d6 100644 --- a/go.sum +++ b/go.sum @@ -101,8 +101,8 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= -github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= -github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= +github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= +github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= @@ -283,10 +283,10 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo= -github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= -github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= -github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= +github.com/onsi/ginkgo/v2 v2.20.2 h1:7NVCeyIWROIAheY21RLS+3j2bb52W0W82tkberYytp4= +github.com/onsi/ginkgo/v2 v2.20.2/go.mod h1:K9gyxPIlb+aIvnZ8bd9Ak+YP18w3APlR+5coaZoE2ag= +github.com/onsi/gomega v1.35.0 h1:xuM1M/UvMp9BCdS4hojhS9/4jEuVqS9Er3bqupeaoPM= +github.com/onsi/gomega v1.35.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -306,16 +306,16 @@ github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjz github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= -github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= -github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= +github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPAaSc= +github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= @@ -381,12 +381,12 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= -go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= -go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= -go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= -go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= -go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= +go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= +go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= +go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.starlark.net v0.0.0-20231121155337-90ade8b19d09 h1:hzy3LFnSN8kuQK8h9tHl4ndF6UruMj47OqwqsS+/Ai4= go.starlark.net v0.0.0-20231121155337-90ade8b19d09/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= @@ -401,8 +401,8 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -415,8 +415,8 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -436,16 +436,16 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= -golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ= +golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -460,14 +460,14 @@ golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUO golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA= -google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20241021214115-324edc3d5d38 h1:2oV8dfuIkM1Ti7DwXc0BJfnwr9csz4TDXI9EmiI+Rbw= +google.golang.org/genproto/googleapis/api v0.0.0-20241021214115-324edc3d5d38/go.mod h1:vuAjtvlwkDKF6L1GQ0SokiRLCGFfeBUXWr/aFFkHACc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -487,40 +487,40 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= -helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= -istio.io/api v1.24.0-alpha.0.0.20241018201654-7c8ec5b5ab72 h1:AVg/4p5sVhZT6JwBczgvAy9idbVYiCqZFE/QVXNKy/k= -istio.io/api v1.24.0-alpha.0.0.20241018201654-7c8ec5b5ab72/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= -istio.io/client-go v1.24.0-alpha.0.0.20241018201953-b3ca3b2a6ef6 h1:qVjgBbqg19vZCpeTMQR0QM8SRfLZTtaSXgWbnWRb0fo= -istio.io/client-go v1.24.0-alpha.0.0.20241018201953-b3ca3b2a6ef6/go.mod h1:usBQZ/vvpGAUA6yGiz6x9ufG50gRC9v0332MesA/lNw= -istio.io/istio v0.0.0-20241022213331-bb972b546125 h1:mliFVPGvuQ9XCZZIG9fSQsI1AVJqz6MUIWQVAlM3MJI= -istio.io/istio v0.0.0-20241022213331-bb972b546125/go.mod h1:27Ub5DbzERxmDSo6hWl+/eaSKOmO3UctQ7c0TPtKUFU= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= -k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= -k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= -k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= -k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= -k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= -k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= -k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= -k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= -k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= -k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= +helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o= +helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70= +istio.io/api v1.24.0-alpha.0.0.20241108002229-2cc3366cdb03 h1:7NuB6aHrjm7P+4SbF3WKGlDA0rI8J5KUZVc+kz0ZxJk= +istio.io/api v1.24.0-alpha.0.0.20241108002229-2cc3366cdb03/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= +istio.io/client-go v1.24.0-alpha.0.0.20241108002529-3f60d583a76f h1:Izd771gSJV+9kdXhMfnBaLyWFonjBguy4bsxCa9CK/g= +istio.io/client-go v1.24.0-alpha.0.0.20241108002529-3f60d583a76f/go.mod h1:wdQxjAxPBg0jDH3GvXx7ldB6pG4gUqRBPxxQ/XhWxBk= +istio.io/istio v0.0.0-20241111230131-b1ee384c11f0 h1:FaOZ/bSRC4AIr8rezKiECQjSBjDjSxyQvY2QVSkuecg= +istio.io/istio v0.0.0-20241111230131-b1ee384c11f0/go.mod h1:w3lBWR9O0hbjfpx4HirXZ/xKmej/M1Qe7KYYI7P4jDk= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= +k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= +k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4= +k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE= +k8s.io/cli-runtime v0.31.2 h1:7FQt4C4Xnqx8V1GJqymInK0FFsoC+fAZtbLqgXYVOLQ= +k8s.io/cli-runtime v0.31.2/go.mod h1:XROyicf+G7rQ6FQJMbeDV9jqxzkWXTYD6Uxd15noe0Q= +k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc= +k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs= +k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA= +k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY= k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= -k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= +k8s.io/kubectl v0.31.2 h1:gTxbvRkMBwvTSAlobiTVqsH6S8Aa1aGyBcu5xYLsn8M= +k8s.io/kubectl v0.31.2/go.mod h1:EyASYVU6PY+032RrTh5ahtSOMgoDRIux9V1JLKtG5xM= k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI= k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.15.0 h1:4dxdABXGDhIa68Fiwaif0vcu32xfwmgQ+w8p+5CxoAI= sigs.k8s.io/controller-tools v0.15.0/go.mod h1:8zUSS2T8Hx0APCNRhJWbS3CAQEbIxLa07khzh7pZmXM= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 38a95f1a3..e71e6356f 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e diff --git a/resources/latest/charts/base/files/crd-all.gen.yaml b/resources/latest/charts/base/files/crd-all.gen.yaml index 9777d4595..63389bc3c 100644 --- a/resources/latest/charts/base/files/crd-all.gen.yaml +++ b/resources/latest/charts/base/files/crd-all.gen.yaml @@ -305,6 +305,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -321,8 +327,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -2250,6 +2254,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -2266,8 +2276,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -4167,6 +4175,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -4183,8 +4197,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -6084,6 +6096,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -6100,8 +6118,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -6488,6 +6504,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -6504,8 +6526,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -6743,6 +6763,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -6759,8 +6785,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -6972,6 +6996,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -6988,8 +7018,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -7201,6 +7229,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -7217,8 +7251,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -7349,6 +7381,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -7365,8 +7403,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -7666,6 +7702,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -7682,8 +7724,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -7959,6 +7999,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -7975,8 +8021,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -8252,6 +8296,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -8268,8 +8318,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -8816,6 +8864,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -8832,8 +8886,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -9354,6 +9406,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -9370,8 +9428,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -9892,6 +9948,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -9908,8 +9970,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -10954,6 +11014,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -10970,8 +11036,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -11990,6 +12054,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -12006,8 +12076,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -13026,6 +13094,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -13042,8 +13116,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -13206,6 +13278,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -13222,8 +13300,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -13362,6 +13438,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -13378,8 +13460,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -13518,6 +13598,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -13534,8 +13620,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -13828,6 +13912,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -13844,8 +13934,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -14114,6 +14202,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -14130,8 +14224,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -14400,6 +14492,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -14416,8 +14514,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -14782,6 +14878,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -14798,8 +14900,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -15135,6 +15235,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -15151,8 +15257,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -15321,6 +15425,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -15337,8 +15447,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -15480,6 +15588,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -15496,8 +15610,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -15794,6 +15906,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -15810,8 +15928,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -16081,6 +16197,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -16097,8 +16219,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -16494,6 +16614,11 @@ spec: description: Controls span reporting. nullable: true type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: @@ -16556,6 +16681,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -16572,8 +16703,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. @@ -16942,6 +17071,11 @@ spec: description: Controls span reporting. nullable: true type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean match: description: Allows tailoring of behavior to specific conditions. properties: @@ -17004,6 +17138,12 @@ spec: description: Human-readable message indicating details about last transition. type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. @@ -17020,8 +17160,6 @@ spec: anyOf: - type: integer - type: string - description: Resource Generation to which the Reconciled Condition - refers. x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 000000000..2704a7d95 --- /dev/null +++ b/resources/latest/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 717cd0db3..9ad208aa5 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 000000000..2704a7d95 --- /dev/null +++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" diff --git a/resources/latest/charts/cni/templates/configmap-cni.yaml b/resources/latest/charts/cni/templates/configmap-cni.yaml index 30a0edd9a..39a09fb69 100644 --- a/resources/latest/charts/cni/templates/configmap-cni.yaml +++ b/resources/latest/charts/cni/templates/configmap-cni.yaml @@ -28,3 +28,8 @@ data: REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/resources/latest/charts/cni/templates/daemonset.yaml b/resources/latest/charts/cni/templates/daemonset.yaml index f7d2962e2..2b680b95a 100644 --- a/resources/latest/charts/cni/templates/daemonset.yaml +++ b/resources/latest/charts/cni/templates/daemonset.yaml @@ -46,7 +46,10 @@ spec: {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} spec: - {{if .Values.ambient.enabled }}hostNetwork: true{{ end }} +{{if .Values.ambient.enabled }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{ end }} nodeSelector: kubernetes.io/os: linux # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index dc0f8733b..afcbc73c4 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -115,7 +115,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + tag: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e # Variant of the image to use. # Currently supported are: [debug, distroless] @@ -144,3 +144,6 @@ _internal_defaults_do_not_set: requests: cpu: 100m memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index c07ea834c..5647479de 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 000000000..2704a7d95 --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index ec7285779..4378d7433 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 000000000..2704a7d95 --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" diff --git a/resources/latest/charts/istiod/files/waypoint.yaml b/resources/latest/charts/istiod/files/waypoint.yaml index bbe47674b..380ebb9a5 100644 --- a/resources/latest/charts/istiod/files/waypoint.yaml +++ b/resources/latest/charts/istiod/files/waypoint.yaml @@ -198,6 +198,10 @@ spec: - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} {{- if .Values.global.waypoint.resources }} resources: {{- toYaml .Values.global.waypoint.resources | nindent 10 }} diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index 57e612e41..c70fadacd 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + tag: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 048c35a28..2c832bc2b 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec +version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 000000000..2704a7d95 --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" diff --git a/resources/latest/charts/ztunnel/templates/_helpers.tpl b/resources/latest/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 000000000..82740e441 --- /dev/null +++ b/resources/latest/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default .Release.Name }}{{ end }} diff --git a/resources/latest/charts/ztunnel/templates/daemonset.yaml b/resources/latest/charts/ztunnel/templates/daemonset.yaml index c6e2daf48..bfb74280d 100644 --- a/resources/latest/charts/ztunnel/templates/daemonset.yaml +++ b/resources/latest/charts/ztunnel/templates/daemonset.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: ztunnel + name: {{ include "ztunnel.release-name" . }} namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: ztunnel diff --git a/resources/latest/charts/ztunnel/templates/rbac.yaml b/resources/latest/charts/ztunnel/templates/rbac.yaml index a9ea6fb6a..21b0e8de3 100644 --- a/resources/latest/charts/ztunnel/templates/rbac.yaml +++ b/resources/latest/charts/ztunnel/templates/rbac.yaml @@ -7,7 +7,7 @@ imagePullSecrets: {{- end }} {{- end }} metadata: - name: ztunnel + name: {{ include "ztunnel.release-name" . }} namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: ztunnel @@ -25,10 +25,10 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: ztunnel + name: {{ include "ztunnel.release-name" . }} labels: app: ztunnel - release: {{ .Release.Name }} + release: {{ include "ztunnel.release-name" . }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} app.kubernetes.io/name: ztunnel {{- include "istio.labels" . | nindent 4}} @@ -48,10 +48,10 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: ztunnel + name: {{ include "ztunnel.release-name" . }} labels: app: ztunnel - release: {{ .Release.Name }} + release: {{ include "ztunnel.release-name" . }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} app.kubernetes.io/name: ztunnel {{- include "istio.labels" . | nindent 4}} @@ -65,10 +65,10 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: ztunnel + name: {{ include "ztunnel.release-name" . }} subjects: - kind: ServiceAccount - name: ztunnel + name: {{ include "ztunnel.release-name" . }} namespace: {{ .Release.Namespace }} {{- end }} --- diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index 40d990b1b..5af7cfa2e 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + tag: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" @@ -12,6 +12,10 @@ _internal_defaults_do_not_set: # If Image contains a "/", it will replace the entire `image` in the pod. image: ztunnel + # resourceName, if set, will override the naming of resources. If not set, will default to the release name. + # It is recommended to not set this; this is primarily for backwards compatibility. + resourceName: "" + # Labels to apply to all top level resources labels: {} # Annotations to apply to all top level resources diff --git a/resources/latest/profiles/default.yaml b/resources/latest/profiles/default.yaml index 1f44cc310..99c686135 100644 --- a/resources/latest/profiles/default.yaml +++ b/resources/latest/profiles/default.yaml @@ -8,3 +8,5 @@ spec: global: istioNamespace: istio-system configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/resources/v1.22.6/charts/base/Chart.yaml b/resources/v1.22.6/charts/base/Chart.yaml new file mode 100644 index 000000000..11376a757 --- /dev/null +++ b/resources/v1.22.6/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +appVersion: 1.22.6 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.22.6 diff --git a/resources/v1.22.6/charts/base/README.md b/resources/v1.22.6/charts/base/README.md new file mode 100644 index 000000000..ae8f6d5b0 --- /dev/null +++ b/resources/v1.22.6/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.22.6/charts/base/crds/crd-all.gen.yaml b/resources/v1.22.6/charts/base/crds/crd-all.gen.yaml new file mode 100644 index 000000000..1625d85f9 --- /dev/null +++ b/resources/v1.22.6/charts/base/crds/crd-all.gen.yaml @@ -0,0 +1,13051 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + failStrategy: + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string + imagePullPolicy: + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + maximum: 65535 + minimum: 1 + type: integer + required: + - number + type: object + type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map + type: object + type: array + phase: + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 + nullable: true + type: integer + selector: + description: Criteria used to select the specific set of pods/VMs + on which this plugin configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK + type: string + url: + description: URL of a Wasm module or OCI container. + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', + ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && + url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', + ''oci'', ''file''])' + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 + type: string + value: + description: Value for the environment variable. + maxLength: 2048 + type: string + valueFrom: + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST + enum: + - INLINE + - HOST + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' + || !has(self.value)' + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - url + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this + filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which + traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by + a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format + (RE2) that can be used to select proxies using a specific + version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name + for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server + port number for which this route configuration was + generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route + configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated + by Istio are named as host:port, where the host + typically corresponds to the VirtualService's + host field or the hostname of a service in the + registry. + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by + default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + nullable: true + type: integer + environmentVariables: + additionalProperties: + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: '`WorkloadGroup` enables specifying the properties of a single + workload for bootstrap and provides a template for `WorkloadEntry`, + similar to how `Deployment` specifies properties of workloads via `Pod` + templates.' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: '`WorkloadGroup` enables specifying the properties of a single + workload for bootstrap and provides a template for `WorkloadEntry`, + similar to how `Deployment` specifies properties of workloads via `Pod` + templates.' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + shortNames: + - ap + singular: authorizationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + type: string + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + type: string + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + type: string + header: + description: The name of the header to be created. + type: string + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + required: + - issuer + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/resources/v1.22.6/charts/base/files/profile-ambient.yaml b/resources/v1.22.6/charts/base/files/profile-ambient.yaml new file mode 100644 index 000000000..7b2c18c17 --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-ambient.yaml @@ -0,0 +1,21 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.22.6/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.6/charts/base/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..480718f1c --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.6/charts/base/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..a204a7ad4 --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/base/files/profile-demo.yaml b/resources/v1.22.6/charts/base/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.6/charts/base/files/profile-openshift-ambient.yaml b/resources/v1.22.6/charts/base/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..0908fd145 --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-openshift-ambient.yaml @@ -0,0 +1,34 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t \ No newline at end of file diff --git a/resources/v1.22.6/charts/base/files/profile-openshift.yaml b/resources/v1.22.6/charts/base/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.22.6/charts/base/files/profile-preview.yaml b/resources/v1.22.6/charts/base/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.6/charts/base/files/profile-stable.yaml b/resources/v1.22.6/charts/base/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.22.6/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.22.6/charts/base/templates/NOTES.txt b/resources/v1.22.6/charts/base/templates/NOTES.txt new file mode 100644 index 000000000..f12616f57 --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.22.6/charts/base/templates/crds.yaml b/resources/v1.22.6/charts/base/templates/crds.yaml new file mode 100644 index 000000000..af9901c6e --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/crds.yaml @@ -0,0 +1,3 @@ +{{- if .Values.base.enableCRDTemplates }} +{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{- end }} diff --git a/resources/v1.22.6/charts/base/templates/default.yaml b/resources/v1.22.6/charts/base/templates/default.yaml new file mode 100644 index 000000000..e5b346591 --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/default.yaml @@ -0,0 +1,54 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} diff --git a/resources/v1.22.6/charts/base/templates/endpoints.yaml b/resources/v1.22.6/charts/base/templates/endpoints.yaml new file mode 100644 index 000000000..36575202d --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/endpoints.yaml @@ -0,0 +1,23 @@ +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# if the remotePilotAddress is an IP addr +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.pilot.enabled }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} diff --git a/resources/v1.22.6/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.22.6/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/resources/v1.22.6/charts/base/templates/services.yaml b/resources/v1.22.6/charts/base/templates/services.yaml new file mode 100644 index 000000000..fc1fa1a2f --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.pilot.enabled }} + # when local istiod is enabled, we can't use istiod service name to reach the remote control plane + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.22.6/charts/base/templates/validatingadmissionpolicy.yaml b/resources/v1.22.6/charts/base/templates/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..2376d995a --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,51 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/resources/v1.22.6/charts/base/templates/zzz_profile.yaml b/resources/v1.22.6/charts/base/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.22.6/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.6/charts/base/values.yaml b/resources/v1.22.6/charts/base/values.yaml new file mode 100644 index 000000000..88bca4329 --- /dev/null +++ b/resources/v1.22.6/charts/base/values.yaml @@ -0,0 +1,40 @@ +defaults: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + externalIstiod: false + remotePilotAddress: "" + + # Platform where Istio is deployed. Possible values are: "openshift", "gcp". + # An empty value means it is a vanilla Kubernetes distribution, therefore no special + # treatment will be considered. + platform: "" + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # This is intended only for use with external istiod. + ipFamilyPolicy: "" + ipFamilies: [] + + base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/resources/v1.22.6/charts/cni/Chart.yaml b/resources/v1.22.6/charts/cni/Chart.yaml new file mode 100644 index 000000000..1c79938b6 --- /dev/null +++ b/resources/v1.22.6/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +appVersion: 1.22.6 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.22.6 diff --git a/resources/v1.22.6/charts/cni/README.md b/resources/v1.22.6/charts/cni/README.md new file mode 100644 index 000000000..a8b78d5bd --- /dev/null +++ b/resources/v1.22.6/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/resources/v1.22.6/charts/cni/files/profile-ambient.yaml b/resources/v1.22.6/charts/cni/files/profile-ambient.yaml new file mode 100644 index 000000000..7b2c18c17 --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,21 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..480718f1c --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..a204a7ad4 --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/cni/files/profile-demo.yaml b/resources/v1.22.6/charts/cni/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.6/charts/cni/files/profile-openshift-ambient.yaml b/resources/v1.22.6/charts/cni/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..0908fd145 --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-openshift-ambient.yaml @@ -0,0 +1,34 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t \ No newline at end of file diff --git a/resources/v1.22.6/charts/cni/files/profile-openshift.yaml b/resources/v1.22.6/charts/cni/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.22.6/charts/cni/files/profile-preview.yaml b/resources/v1.22.6/charts/cni/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.6/charts/cni/files/profile-stable.yaml b/resources/v1.22.6/charts/cni/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.22.6/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.22.6/charts/cni/templates/NOTES.txt b/resources/v1.22.6/charts/cni/templates/NOTES.txt new file mode 100644 index 000000000..fb35525b9 --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.22.6/charts/cni/templates/clusterrole.yaml b/resources/v1.22.6/charts/cni/templates/clusterrole.yaml new file mode 100644 index 000000000..fda1c15fc --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,74 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq .Values.platform "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni-repair-role + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.cni.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.cni.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.cni.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.cni.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni-ambient + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} diff --git a/resources/v1.22.6/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.22.6/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..570f15cfb --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,58 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni-repair-rolebinding + labels: + k8s-app: istio-cni-repair + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-repair-role +{{- end }} +--- +{{- if .Values.cni.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni-ambient + labels: + k8s-app: istio-cni-repair + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: + - kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-ambient +{{- end }} \ No newline at end of file diff --git a/resources/v1.22.6/charts/cni/templates/configmap-cni.yaml b/resources/v1.22.6/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 000000000..cf4e020de --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,34 @@ +{{- $defaultBinDir := + (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +kind: ConfigMap +apiVersion: v1 +metadata: + name: istio-cni-config + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +data: + # The CNI network configuration to add to the plugin chain on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "cniVersion": "0.3.1", + "name": "istio-cni", + "type": "istio-cni", + "log_level": {{ quote .Values.cni.logLevel }}, + "log_uds_address": "__LOG_UDS_ADDRESS__", + {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}} + "cni_event_address": "__CNI_EVENT_ADDRESS__", + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__", + "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, + "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] + } + } diff --git a/resources/v1.22.6/charts/cni/templates/daemonset.yaml b/resources/v1.22.6/charts/cni/templates/daemonset.yaml new file mode 100644 index 000000000..51a168457 --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/daemonset.yaml @@ -0,0 +1,234 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +{{- $defaultBinDir := + (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: istio-cni-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: istio-cni-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +spec: + selector: + matchLabels: + k8s-app: istio-cni-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} + template: + metadata: + labels: + k8s-app: istio-cni-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Custom annotations + {{- if .Values.cni.podAnnotations }} +{{ toYaml .Values.cni.podAnnotations | indent 8 }} + {{- end }} + spec: + {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.cni.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: istio-cni + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.cni.image }} + image: "{{ .Values.cni.image }}" +{{- else }} + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: true # always requires privilege to be useful (install node plugin, etc) + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. + # privileged is redundant with CAP_SYS_ADMIN + # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular + # capabilities we actually require + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. + # There does not appear to be a more granular capability for this. + - SYS_ADMIN +{{- if .Values.cni.seccompProfile }} + seccompProfile: +{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + env: +{{- if .Values.cni.cniConfFileName }} + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "{{ .Values.cni.cniConfFileName }}" +{{- end }} + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: istio-cni-config + key: cni_network_config + - name: CNI_NET_DIR + value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Deploy as a standalone CNI plugin or as chained? + - name: CHAINED_CNI_PLUGIN + value: "{{ .Values.cni.chained }}" + - name: REPAIR_ENABLED + value: "{{ .Values.cni.repair.enabled }}" +{{- if .Values.cni.ambient.enabled }} + - name: AMBIENT_DNS_CAPTURE + value: "{{ .Values.cni.ambient.dnsCapture }}" +{{- end }} + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_LABEL_PODS + value: "{{.Values.cni.repair.labelPods}}" + # Set to true to enable pod deletion + - name: REPAIR_DELETE_PODS + value: "{{.Values.cni.repair.deletePods}}" + - name: REPAIR_REPAIR_PODS + value: "{{.Values.cni.repair.repairPods}}" + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + - name: REPAIR_INIT_CONTAINER_NAME + value: "{{ .Values.cni.repair.initContainerName }}" + - name: REPAIR_BROKEN_POD_LABEL_KEY + value: "{{.Values.cni.repair.brokenPodLabelKey}}" + - name: REPAIR_BROKEN_POD_LABEL_VALUE + value: "{{.Values.cni.repair.brokenPodLabelValue}}" + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: LOG_LEVEL + value: {{ .Values.cni.logLevel | quote }} + {{- if .Values.cni.ambient.enabled }} + - name: AMBIENT_ENABLED + value: "true" + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.cni.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.cni.resources }} +{{ toYaml .Values.cni.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} + {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.cni.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cni.cniNetnsDir | default "/var/run/netns" }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/resources/v1.22.6/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.22.6/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..1da070baa --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,9 @@ +{{- if eq .Values.cni.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: istio-cni + namespace: default + labels: + operator.istio.io/component: "Cni" +{{- end }} diff --git a/resources/v1.22.6/charts/cni/templates/resourcequota.yaml b/resources/v1.22.6/charts/cni/templates/resourcequota.yaml new file mode 100644 index 000000000..15946ae72 --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cni.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: istio-cni-resource-quota + namespace: {{ .Release.Namespace }} +spec: + hard: + pods: {{ .Values.cni.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/resources/v1.22.6/charts/cni/templates/serviceaccount.yaml b/resources/v1.22.6/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 000000000..4645db63a --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-cni + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" diff --git a/resources/v1.22.6/charts/cni/templates/zzz_profile.yaml b/resources/v1.22.6/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.22.6/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.6/charts/cni/values.yaml b/resources/v1.22.6/charts/cni/values.yaml new file mode 100644 index 000000000..6c6e504f7 --- /dev/null +++ b/resources/v1.22.6/charts/cni/values.yaml @@ -0,0 +1,141 @@ +defaults: + cni: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Configuration log level of istio-cni binary + # by default istio-cni send all logs to UDS server + # if want to see them you need change global.logging.level with cni:debug + logLevel: debug + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + # This directory must exist on the node, if it does not, consult your container runtime + # documentation for the appropriate path. + cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.22.6 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: default:info,cni:info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi diff --git a/resources/v1.22.6/charts/gateway/Chart.yaml b/resources/v1.22.6/charts/gateway/Chart.yaml new file mode 100644 index 000000000..80c65c8cd --- /dev/null +++ b/resources/v1.22.6/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.22.6 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.22.6 diff --git a/resources/v1.22.6/charts/gateway/README.md b/resources/v1.22.6/charts/gateway/README.md new file mode 100644 index 000000000..5c064d165 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/resources/v1.22.6/charts/gateway/files/profile-ambient.yaml b/resources/v1.22.6/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 000000000..7b2c18c17 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,21 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..480718f1c --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..a204a7ad4 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/gateway/files/profile-demo.yaml b/resources/v1.22.6/charts/gateway/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.6/charts/gateway/files/profile-openshift-ambient.yaml b/resources/v1.22.6/charts/gateway/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..0908fd145 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-openshift-ambient.yaml @@ -0,0 +1,34 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t \ No newline at end of file diff --git a/resources/v1.22.6/charts/gateway/files/profile-openshift.yaml b/resources/v1.22.6/charts/gateway/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.22.6/charts/gateway/files/profile-preview.yaml b/resources/v1.22.6/charts/gateway/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.6/charts/gateway/files/profile-stable.yaml b/resources/v1.22.6/charts/gateway/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.22.6/charts/gateway/templates/NOTES.txt b/resources/v1.22.6/charts/gateway/templates/NOTES.txt new file mode 100644 index 000000000..fd0142911 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/resources/v1.22.6/charts/gateway/templates/_helpers.tpl b/resources/v1.22.6/charts/gateway/templates/_helpers.tpl new file mode 100644 index 000000000..a777d43bc --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ include "gateway.name" . }} +{{- range $key, $val := .Values.labels }} +{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.podLabels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +{{- if hasKey .Values.labels "app" }} +{{- with .Values.labels.app }}app: {{.|quote}} +{{- end}} +{{- else }}app: {{ include "gateway.name" . }} +{{- end }} +{{- if hasKey .Values.labels "istio" }} +{{- with .Values.labels.istio }} +istio: {{.|quote}} +{{- end}} +{{- else }} +istio: {{ include "gateway.name" . | trimPrefix "istio-" }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/resources/v1.22.6/charts/gateway/templates/deployment.yaml b/resources/v1.22.6/charts/gateway/templates/deployment.yaml new file mode 100644 index 000000000..c8dc4848c --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/deployment.yaml @@ -0,0 +1,111 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- with .Values.replicaCount }} + replicas: {{ . }} + {{- end }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . | quote }} + {{- end }} + {{- include "gateway.podLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq .Values.platform "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/resources/v1.22.6/charts/gateway/templates/hpa.yaml b/resources/v1.22.6/charts/gateway/templates/hpa.yaml new file mode 100644 index 000000000..1b0f9366b --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/resources/v1.22.6/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.22.6/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..77f71e7fa --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} diff --git a/resources/v1.22.6/charts/gateway/templates/role.yaml b/resources/v1.22.6/charts/gateway/templates/role.yaml new file mode 100644 index 000000000..c8a25cb72 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/role.yaml @@ -0,0 +1,33 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/resources/v1.22.6/charts/gateway/templates/service.yaml b/resources/v1.22.6/charts/gateway/templates/service.yaml new file mode 100644 index 000000000..9177d2a11 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/service.yaml @@ -0,0 +1,64 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/resources/v1.22.6/charts/gateway/templates/serviceaccount.yaml b/resources/v1.22.6/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 000000000..e5b2304d6 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/resources/v1.22.6/charts/gateway/templates/zzz_profile.yaml b/resources/v1.22.6/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.22.6/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.6/charts/gateway/values.schema.json b/resources/v1.22.6/charts/gateway/values.schema.json new file mode 100644 index 000000000..4c4f0836d --- /dev/null +++ b/resources/v1.22.6/charts/gateway/values.schema.json @@ -0,0 +1,301 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "additionalProperties": false, + "$defs": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/resources/v1.22.6/charts/gateway/values.yaml b/resources/v1.22.6/charts/gateway/values.yaml new file mode 100644 index 000000000..1432f4d7b --- /dev/null +++ b/resources/v1.22.6/charts/gateway/values.yaml @@ -0,0 +1,152 @@ +defaults: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Labels to apply to all resources + labels: {} + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/resources/v1.22.6/charts/istiod/Chart.yaml b/resources/v1.22.6/charts/istiod/Chart.yaml new file mode 100644 index 000000000..7152d93cc --- /dev/null +++ b/resources/v1.22.6/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: 1.22.6 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.22.6 diff --git a/resources/v1.22.6/charts/istiod/README.md b/resources/v1.22.6/charts/istiod/README.md new file mode 100644 index 000000000..ddbfbc8fe --- /dev/null +++ b/resources/v1.22.6/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/resources/v1.22.6/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.22.6/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 000000000..90a6841ea --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,250 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.22.6/charts/istiod/files/grpc-agent.yaml b/resources/v1.22.6/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 000000000..7290fcdca --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,310 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.22.6/charts/istiod/files/grpc-simple.yaml b/resources/v1.22.6/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 000000000..9ba0c7a46 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/resources/v1.22.6/charts/istiod/files/injection-template.yaml b/resources/v1.22.6/charts/istiod/files/injection-template.yaml new file mode 100644 index 000000000..248b7ad2f --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/injection-template.yaml @@ -0,0 +1,542 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ .ProxyUID | default "1337" | quote }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsUser: {{ .ProxyUID | default "1337" }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - mountPath: /var/run/secrets/istio/kubernetes + name: kube-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - name: kube-ca-cert + configMap: + name: kube-root-ca.crt + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.22.6/charts/istiod/files/kube-gateway.yaml b/resources/v1.22.6/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 000000000..c121cb652 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,356 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 8 }} + spec: + {{- if ge .KubeVersion 122 }} + {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + {{- if ge .KubeVersion 122 }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + {{- else }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 0 + runAsGroup: 1337 + runAsNonRoot: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: true + {{- end }} + ports: + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- diff --git a/resources/v1.22.6/charts/istiod/files/profile-ambient.yaml b/resources/v1.22.6/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 000000000..7b2c18c17 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,21 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..480718f1c --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..a204a7ad4 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/istiod/files/profile-demo.yaml b/resources/v1.22.6/charts/istiod/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.6/charts/istiod/files/profile-openshift-ambient.yaml b/resources/v1.22.6/charts/istiod/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..0908fd145 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-openshift-ambient.yaml @@ -0,0 +1,34 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t \ No newline at end of file diff --git a/resources/v1.22.6/charts/istiod/files/profile-openshift.yaml b/resources/v1.22.6/charts/istiod/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.22.6/charts/istiod/files/profile-preview.yaml b/resources/v1.22.6/charts/istiod/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.6/charts/istiod/files/profile-stable.yaml b/resources/v1.22.6/charts/istiod/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.22.6/charts/istiod/files/waypoint.yaml b/resources/v1.22.6/charts/istiod/files/waypoint.yaml new file mode 100644 index 000000000..8613330c3 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/files/waypoint.yaml @@ -0,0 +1,307 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + runAsGroup: 1337 + runAsUser: 1337 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- diff --git a/resources/v1.22.6/charts/istiod/templates/NOTES.txt b/resources/v1.22.6/charts/istiod/templates/NOTES.txt new file mode 100644 index 000000000..1acb4dbf9 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/NOTES.txt @@ -0,0 +1,75 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/_helpers.tpl b/resources/v1.22.6/charts/istiod/templates/_helpers.tpl new file mode 100644 index 000000000..47b89a403 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} \ No newline at end of file diff --git a/resources/v1.22.6/charts/istiod/templates/autoscale.yaml b/resources/v1.22.6/charts/istiod/templates/autoscale.yaml new file mode 100644 index 000000000..91311d08d --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} + {{- if .Values.pilot.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.pilot.autoscaleBehavior }} + behavior: {{ toYaml .Values.pilot.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/clusterrole.yaml b/resources/v1.22.6/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 000000000..a68c11451 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,157 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] + + # Needed because status reporter sets the config map owner reference to the istiod pod + - apiGroups: [""] + verbs: ["update"] + resources: ["pods/finalizers"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.pilot.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.22.6/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..f6e425210 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} \ No newline at end of file diff --git a/resources/v1.22.6/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.22.6/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 000000000..b4c49dfa7 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pilot.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +data: + extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/configmap.yaml b/resources/v1.22.6/charts/istiod/templates/configmap.yaml new file mode 100644 index 000000000..b7f11e23c --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/configmap.yaml @@ -0,0 +1,112 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/deployment.yaml b/resources/v1.22.6/charts/istiod/templates/deployment.yaml new file mode 100644 index 000000000..eabe69d1c --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/deployment.yaml @@ -0,0 +1,257 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} +{{- range $key, $val := .Values.pilot.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.pilot.autoscaleEnabled }} +{{- if .Values.pilot.replicaCount }} + replicas: {{ .Values.pilot.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.pilot.rollingMaxSurge }} + maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.pilot.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + {{- end }} + sidecar.istio.io/inject: "false" + {{- if .Values.pilot.podAnnotations }} +{{ toYaml .Values.pilot.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.pilot.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pilot.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.pilot.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.pilot.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.pilot.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.pilot.taint.namespace }} + - --cniNamespace={{ .Values.pilot.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" +{{- if .Values.pilot.extraContainerArgs }} + {{- with .Values.pilot.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PLATFORM + value: "{{ .Values.global.platform }}" + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.pilot.seccompProfile }} + seccompProfile: +{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.pilot.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + configMap: + name: istio-ca-root-cert + defaultMode: 420 + optional: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.pilot.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- diff --git a/resources/v1.22.6/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.22.6/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..24416c488 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,80 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values.pilot "cni" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.22.6/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..542164ffc --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,158 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.22.6/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..ce61de5a9 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.22.6/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..68f8105bd --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,60 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/resources/v1.22.6/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.22.6/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.22.6/charts/istiod/templates/revision-tags.yaml b/resources/v1.22.6/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 000000000..5884e18e3 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,141 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/role.yaml b/resources/v1.22.6/charts/istiod/templates/role.yaml new file mode 100644 index 000000000..195bdde40 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] diff --git a/resources/v1.22.6/charts/istiod/templates/rolebinding.yaml b/resources/v1.22.6/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 000000000..0d700f008 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.22.6/charts/istiod/templates/service.yaml b/resources/v1.22.6/charts/istiod/templates/service.yaml new file mode 100644 index 000000000..208e83561 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/service.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.pilot.serviceAnnotations }} + annotations: +{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.pilot.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.pilot.ipFamilyPolicy }} + {{- end }} + {{- if .Values.pilot.ipFamilies }} + ipFamilies: + {{- range .Values.pilot.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- diff --git a/resources/v1.22.6/charts/istiod/templates/serviceaccount.yaml b/resources/v1.22.6/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 000000000..b7a35c7c8 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + {{- if .Values.pilot.serviceAccountAnnotations -}} + annotations: +{{- toYaml .Values.pilot.serviceAccountAnnotations | indent 4 }} + {{- end }} +--- diff --git a/resources/v1.22.6/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.22.6/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..a5cc41876 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,57 @@ +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.22.6/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..1b44f7628 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,63 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} diff --git a/resources/v1.22.6/charts/istiod/templates/zzz_profile.yaml b/resources/v1.22.6/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.22.6/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.6/charts/istiod/values.yaml b/resources/v1.22.6/charts/istiod/values.yaml new file mode 100644 index 000000000..c74c0fefe --- /dev/null +++ b/resources/v1.22.6/charts/istiod/values.yaml @@ -0,0 +1,514 @@ +defaults: + #.Values.pilot for discovery and mesh wide config + + ## Discovery Settings + pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specified + # the default MCP is assumed. + configSource: + subscribedResources: [] + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.22.6 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + # whether to use autoscaling/v2 template for HPA settings + # for internal usage only, not to be configured by users. + autoscalingv2API: true + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # `istio_cni` has been deprecated and will be removed in a future release. use `pilot.cni` instead + istio_cni: + # `chained` has been deprecated and will be removed in a future release. use `provider` instead + chained: true + provider: default + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} diff --git a/resources/v1.22.6/charts/ztunnel/Chart.yaml b/resources/v1.22.6/charts/ztunnel/Chart.yaml new file mode 100644 index 000000000..9705b55ea --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +appVersion: 1.22.6 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.22.6 diff --git a/resources/v1.22.6/charts/ztunnel/README.md b/resources/v1.22.6/charts/ztunnel/README.md new file mode 100644 index 000000000..ffe0b94fe --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 000000000..7b2c18c17 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,21 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..480718f1c --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..a204a7ad4 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-demo.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..0908fd145 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-openshift-ambient.yaml @@ -0,0 +1,34 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" + CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t \ No newline at end of file diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-preview.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.6/charts/ztunnel/files/profile-stable.yaml b/resources/v1.22.6/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.22.6/charts/ztunnel/templates/NOTES.txt b/resources/v1.22.6/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 000000000..244f59db0 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.22.6/charts/ztunnel/templates/_helpers.tpl b/resources/v1.22.6/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 000000000..5ef0d0e40 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1,10 @@ +{{- define "istio-labels" }} + app.kubernetes.io/name: ztunnel + {{- if .Release.Service }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- end }} + {{- if .Release.Name}} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + app.kubernetes.io/part-of: istio +{{- end }} diff --git a/resources/v1.22.6/charts/ztunnel/templates/daemonset.yaml b/resources/v1.22.6/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 000000000..f83c36dfa --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,166 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ztunnel + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: ISTIO_META_DNS_PROXY_ADDR + value: "127.0.0.1:15053" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/resources/v1.22.6/charts/ztunnel/templates/rbac.yaml b/resources/v1.22.6/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 000000000..f332898e1 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +--- +{{- if (eq .Values.platform "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ztunnel + labels: + app: ztunnel + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ztunnel + labels: + app: ztunnel + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ztunnel +subjects: +- kind: ServiceAccount + name: ztunnel + namespace: {{ .Release.Namespace }} +{{- end }} +--- \ No newline at end of file diff --git a/resources/v1.22.6/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.22.6/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 000000000..752a7f375 --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.6/charts/ztunnel/values.yaml b/resources/v1.22.6/charts/ztunnel/values.yaml new file mode 100644 index 000000000..5f55cdf5a --- /dev/null +++ b/resources/v1.22.6/charts/ztunnel/values.yaml @@ -0,0 +1,87 @@ +defaults: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: docker.io/istio + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.22.6 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t diff --git a/resources/v1.22.6/profiles/ambient.yaml b/resources/v1.22.6/profiles/ambient.yaml new file mode 100644 index 000000000..ddaaa4415 --- /dev/null +++ b/resources/v1.22.6/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: ambient diff --git a/resources/v1.22.6/profiles/default.yaml b/resources/v1.22.6/profiles/default.yaml new file mode 100644 index 000000000..1f44cc310 --- /dev/null +++ b/resources/v1.22.6/profiles/default.yaml @@ -0,0 +1,10 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true diff --git a/resources/v1.22.6/profiles/demo.yaml b/resources/v1.22.6/profiles/demo.yaml new file mode 100644 index 000000000..fad37e4c2 --- /dev/null +++ b/resources/v1.22.6/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: demo diff --git a/resources/v1.22.6/profiles/empty.yaml b/resources/v1.22.6/profiles/empty.yaml new file mode 100644 index 000000000..01052de7f --- /dev/null +++ b/resources/v1.22.6/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/resources/v1.22.6/profiles/openshift-ambient.yaml b/resources/v1.22.6/profiles/openshift-ambient.yaml new file mode 100644 index 000000000..a30b2099b --- /dev/null +++ b/resources/v1.22.6/profiles/openshift-ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: openshift-ambient diff --git a/resources/v1.22.6/profiles/openshift.yaml b/resources/v1.22.6/profiles/openshift.yaml new file mode 100644 index 000000000..a75886e87 --- /dev/null +++ b/resources/v1.22.6/profiles/openshift.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: openshift diff --git a/resources/v1.22.6/profiles/preview.yaml b/resources/v1.22.6/profiles/preview.yaml new file mode 100644 index 000000000..485687d6a --- /dev/null +++ b/resources/v1.22.6/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: preview diff --git a/resources/v1.22.6/profiles/remote.yaml b/resources/v1.22.6/profiles/remote.yaml new file mode 100644 index 000000000..d72fd66e4 --- /dev/null +++ b/resources/v1.22.6/profiles/remote.yaml @@ -0,0 +1,5 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/resources/v1.22.6/profiles/stable.yaml b/resources/v1.22.6/profiles/stable.yaml new file mode 100644 index 000000000..594344792 --- /dev/null +++ b/resources/v1.22.6/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: stable diff --git a/resources/v1.23.3/charts/base/Chart.yaml b/resources/v1.23.3/charts/base/Chart.yaml new file mode 100644 index 000000000..d6629eb47 --- /dev/null +++ b/resources/v1.23.3/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.23.3 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.23.3 diff --git a/resources/v1.23.3/charts/base/README.md b/resources/v1.23.3/charts/base/README.md new file mode 100644 index 000000000..ae8f6d5b0 --- /dev/null +++ b/resources/v1.23.3/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.23.3/charts/base/crds/crd-all.gen.yaml b/resources/v1.23.3/charts/base/crds/crd-all.gen.yaml new file mode 100644 index 000000000..2f3d6a4b0 --- /dev/null +++ b/resources/v1.23.3/charts/base/crds/crd-all.gen.yaml @@ -0,0 +1,14331 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + failStrategy: + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string + imagePullPolicy: + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + maximum: 65535 + minimum: 1 + type: integer + required: + - number + type: object + type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map + type: object + type: array + phase: + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 + nullable: true + type: integer + selector: + description: Criteria used to select the specific set of pods/VMs + on which this plugin configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK + type: string + url: + description: URL of a Wasm module or OCI container. + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', + ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && + url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', + ''oci'', ''file''])' + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 + type: string + value: + description: Value for the environment variable. + maxLength: 2048 + type: string + valueFrom: + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST + enum: + - INLINE + - HOST + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' + || !has(self.value)' + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - url + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this + filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which + traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by + a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format + (RE2) that can be used to select proxies using a specific + version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name + for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server + port number for which this route configuration was + generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route + configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated + by Istio are named as host:port, where the host + typically corresponds to the VirtualService's + host field or the hostname of a service in the + registry. + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by + default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + minimum: 0 + nullable: true + type: integer + environmentVariables: + additionalProperties: + maxLength: 2048 + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - name + type: object + type: array + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + required: + - hosts + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + shortNames: + - ap + singular: authorizationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway'']]' + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/resources/v1.23.3/charts/base/files/profile-ambient.yaml b/resources/v1.23.3/charts/base/files/profile-ambient.yaml new file mode 100644 index 000000000..22db03309 --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-ambient.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..72fdd5b3c --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.3/charts/base/files/profile-demo.yaml b/resources/v1.23.3/charts/base/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.23.3/charts/base/files/profile-openshift-ambient.yaml b/resources/v1.23.3/charts/base/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..df4532d11 --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-openshift-ambient.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t diff --git a/resources/v1.23.3/charts/base/files/profile-openshift.yaml b/resources/v1.23.3/charts/base/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.23.3/charts/base/files/profile-preview.yaml b/resources/v1.23.3/charts/base/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.3/charts/base/files/profile-stable.yaml b/resources/v1.23.3/charts/base/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.23.3/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.23.3/charts/base/templates/NOTES.txt b/resources/v1.23.3/charts/base/templates/NOTES.txt new file mode 100644 index 000000000..f12616f57 --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.23.3/charts/base/templates/crds.yaml b/resources/v1.23.3/charts/base/templates/crds.yaml new file mode 100644 index 000000000..af9901c6e --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/crds.yaml @@ -0,0 +1,3 @@ +{{- if .Values.base.enableCRDTemplates }} +{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{- end }} diff --git a/resources/v1.23.3/charts/base/templates/default.yaml b/resources/v1.23.3/charts/base/templates/default.yaml new file mode 100644 index 000000000..6842c4dfd --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/default.yaml @@ -0,0 +1,54 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/resources/v1.23.3/charts/base/templates/endpoints.yaml b/resources/v1.23.3/charts/base/templates/endpoints.yaml new file mode 100644 index 000000000..36575202d --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/endpoints.yaml @@ -0,0 +1,23 @@ +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# if the remotePilotAddress is an IP addr +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.pilot.enabled }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} diff --git a/resources/v1.23.3/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.23.3/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/resources/v1.23.3/charts/base/templates/services.yaml b/resources/v1.23.3/charts/base/templates/services.yaml new file mode 100644 index 000000000..fc1fa1a2f --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.pilot.enabled }} + # when local istiod is enabled, we can't use istiod service name to reach the remote control plane + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/base/templates/validatingadmissionpolicy.yaml b/resources/v1.23.3/charts/base/templates/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..2376d995a --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,51 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/resources/v1.23.3/charts/base/templates/zzz_profile.yaml b/resources/v1.23.3/charts/base/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.23.3/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.3/charts/base/values.yaml b/resources/v1.23.3/charts/base/values.yaml new file mode 100644 index 000000000..fae4e61e4 --- /dev/null +++ b/resources/v1.23.3/charts/base/values.yaml @@ -0,0 +1,42 @@ +# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. +defaults: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + externalIstiod: false + remotePilotAddress: "" + + # Platform where Istio is deployed. Possible values are: "openshift", "gcp". + # An empty value means it is a vanilla Kubernetes distribution, therefore no special + # treatment will be considered. + platform: "" + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # This is intended only for use with external istiod. + ipFamilyPolicy: "" + ipFamilies: [] + + base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/resources/v1.23.3/charts/cni/Chart.yaml b/resources/v1.23.3/charts/cni/Chart.yaml new file mode 100644 index 000000000..ec1870bdb --- /dev/null +++ b/resources/v1.23.3/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.23.3 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.23.3 diff --git a/resources/v1.23.3/charts/cni/README.md b/resources/v1.23.3/charts/cni/README.md new file mode 100644 index 000000000..a8b78d5bd --- /dev/null +++ b/resources/v1.23.3/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/resources/v1.23.3/charts/cni/files/profile-ambient.yaml b/resources/v1.23.3/charts/cni/files/profile-ambient.yaml new file mode 100644 index 000000000..22db03309 --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..72fdd5b3c --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.3/charts/cni/files/profile-demo.yaml b/resources/v1.23.3/charts/cni/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.23.3/charts/cni/files/profile-openshift-ambient.yaml b/resources/v1.23.3/charts/cni/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..df4532d11 --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-openshift-ambient.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t diff --git a/resources/v1.23.3/charts/cni/files/profile-openshift.yaml b/resources/v1.23.3/charts/cni/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.23.3/charts/cni/files/profile-preview.yaml b/resources/v1.23.3/charts/cni/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.3/charts/cni/files/profile-stable.yaml b/resources/v1.23.3/charts/cni/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.23.3/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.23.3/charts/cni/templates/NOTES.txt b/resources/v1.23.3/charts/cni/templates/NOTES.txt new file mode 100644 index 000000000..fb35525b9 --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.23.3/charts/cni/templates/_helpers.tpl b/resources/v1.23.3/charts/cni/templates/_helpers.tpl new file mode 100644 index 000000000..fe5786580 --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/resources/v1.23.3/charts/cni/templates/clusterrole.yaml b/resources/v1.23.3/charts/cni/templates/clusterrole.yaml new file mode 100644 index 000000000..4c9119e1c --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,74 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq .Values.platform "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.cni.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.cni.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.cni.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.cni.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} diff --git a/resources/v1.23.3/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.23.3/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..dba1238de --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,60 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.cni.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/resources/v1.23.3/charts/cni/templates/configmap-cni.yaml b/resources/v1.23.3/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 000000000..131c09a1a --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,29 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +data: + CURRENT_AGENT_VERSION: {{ .Values.cni.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.cni.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.cni.ambient.dnsCapture | default "false" | quote }} + AMBIENT_IPV6: {{ .Values.cni.ambient.ipv6 | default "false" | quote }} + {{- if .Values.cni.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cni.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CNI_NET_DIR: {{ .Values.cni.cniConfDir | default "/etc/cni/net.d" }} # Directory where the CNI config file is going to be created. + CHAINED_CNI_PLUGIN: {{ .Values.cni.chained | quote }} + EXCLUDED_NAMESPACES: "{{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.cni.chained | quote }} + REPAIR_LABEL_PODS: {{ .Values.cni.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.cni.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.cni.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.cni.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.cni.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.cni.repair.brokenPodLabelValue | quote }} diff --git a/resources/v1.23.3/charts/cni/templates/daemonset.yaml b/resources/v1.23.3/charts/cni/templates/daemonset.yaml new file mode 100644 index 000000000..cf0dab5ca --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/daemonset.yaml @@ -0,0 +1,208 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +{{- $defaultBinDir := + (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Custom annotations + {{- if .Values.cni.podAnnotations }} +{{ toYaml .Values.cni.podAnnotations | indent 8 }} + {{- end }} + spec: + {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.cni.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.cni.image }} + image: "{{ .Values.cni.image }}" +{{- else }} + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: true # always requires privilege to be useful (install node plugin, etc) + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. + # privileged is redundant with CAP_SYS_ADMIN + # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular + # capabilities we actually require + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. + # There does not appear to be a more granular capability for this. + - SYS_ADMIN +{{- if .Values.cni.seccompProfile }} + seccompProfile: +{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.cni.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.cni.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.cni.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.cni.resources }} +{{ toYaml .Values.cni.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} + {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.cni.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cni.cniNetnsDir | default "/var/run/netns" }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/resources/v1.23.3/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.23.3/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..6c85d0ae7 --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,9 @@ +{{- if eq .Values.cni.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" +{{- end }} diff --git a/resources/v1.23.3/charts/cni/templates/resourcequota.yaml b/resources/v1.23.3/charts/cni/templates/resourcequota.yaml new file mode 100644 index 000000000..90c16af5f --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cni.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} +spec: + hard: + pods: {{ .Values.cni.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/resources/v1.23.3/charts/cni/templates/serviceaccount.yaml b/resources/v1.23.3/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 000000000..a4798f214 --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" diff --git a/resources/v1.23.3/charts/cni/templates/zzz_profile.yaml b/resources/v1.23.3/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.23.3/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.3/charts/cni/values.yaml b/resources/v1.23.3/charts/cni/values.yaml new file mode 100644 index 000000000..ba959c95e --- /dev/null +++ b/resources/v1.23.3/charts/cni/values.yaml @@ -0,0 +1,144 @@ +# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. +defaults: + cni: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + # This directory must exist on the node, if it does not, consult your container runtime + # documentation for the appropriate path. + cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: false + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.23.3 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi diff --git a/resources/v1.23.3/charts/gateway/Chart.yaml b/resources/v1.23.3/charts/gateway/Chart.yaml new file mode 100644 index 000000000..bc026dd8f --- /dev/null +++ b/resources/v1.23.3/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.23.3 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.23.3 diff --git a/resources/v1.23.3/charts/gateway/README.md b/resources/v1.23.3/charts/gateway/README.md new file mode 100644 index 000000000..5c064d165 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/resources/v1.23.3/charts/gateway/files/profile-ambient.yaml b/resources/v1.23.3/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 000000000..22db03309 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..72fdd5b3c --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.3/charts/gateway/files/profile-demo.yaml b/resources/v1.23.3/charts/gateway/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.23.3/charts/gateway/files/profile-openshift-ambient.yaml b/resources/v1.23.3/charts/gateway/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..df4532d11 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-openshift-ambient.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t diff --git a/resources/v1.23.3/charts/gateway/files/profile-openshift.yaml b/resources/v1.23.3/charts/gateway/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.23.3/charts/gateway/files/profile-preview.yaml b/resources/v1.23.3/charts/gateway/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.3/charts/gateway/files/profile-stable.yaml b/resources/v1.23.3/charts/gateway/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.23.3/charts/gateway/templates/NOTES.txt b/resources/v1.23.3/charts/gateway/templates/NOTES.txt new file mode 100644 index 000000000..fd0142911 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/resources/v1.23.3/charts/gateway/templates/_helpers.tpl b/resources/v1.23.3/charts/gateway/templates/_helpers.tpl new file mode 100644 index 000000000..917b6359a --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{/* +Create chart name and version as used by the helm.sh/chart label. +*/}} +{{- define "gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} +app.kubernetes.io/name: {{ include "gateway.name" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/gateway/templates/deployment.yaml b/resources/v1.23.3/charts/gateway/templates/deployment.yaml new file mode 100644 index 000000000..eecd544cc --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/deployment.yaml @@ -0,0 +1,115 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- with .Values.replicaCount }} + replicas: {{ . }} + {{- end }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq .Values.platform "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/resources/v1.23.3/charts/gateway/templates/hpa.yaml b/resources/v1.23.3/charts/gateway/templates/hpa.yaml new file mode 100644 index 000000000..1b0f9366b --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.23.3/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..77f71e7fa --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/gateway/templates/role.yaml b/resources/v1.23.3/charts/gateway/templates/role.yaml new file mode 100644 index 000000000..c8a25cb72 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/role.yaml @@ -0,0 +1,33 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/resources/v1.23.3/charts/gateway/templates/service.yaml b/resources/v1.23.3/charts/gateway/templates/service.yaml new file mode 100644 index 000000000..9177d2a11 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/service.yaml @@ -0,0 +1,64 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/resources/v1.23.3/charts/gateway/templates/serviceaccount.yaml b/resources/v1.23.3/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 000000000..e5b2304d6 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/gateway/templates/zzz_profile.yaml b/resources/v1.23.3/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.3/charts/gateway/values.schema.json b/resources/v1.23.3/charts/gateway/values.schema.json new file mode 100644 index 000000000..4c4f0836d --- /dev/null +++ b/resources/v1.23.3/charts/gateway/values.schema.json @@ -0,0 +1,301 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "additionalProperties": false, + "$defs": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/resources/v1.23.3/charts/gateway/values.yaml b/resources/v1.23.3/charts/gateway/values.yaml new file mode 100644 index 000000000..72205b4a1 --- /dev/null +++ b/resources/v1.23.3/charts/gateway/values.yaml @@ -0,0 +1,154 @@ +# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. +defaults: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Labels to apply to all resources + labels: {} + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/resources/v1.23.3/charts/istiod-remote/Chart.yaml b/resources/v1.23.3/charts/istiod-remote/Chart.yaml new file mode 100644 index 000000000..877418f91 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.23.3 +description: Helm chart for a remote cluster using an external istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- external-istiod +name: istiod-remote +sources: +- https://github.com/istio/istio +version: 1.23.3 diff --git a/resources/v1.23.3/charts/istiod-remote/NOTES.txt b/resources/v1.23.3/charts/istiod-remote/NOTES.txt new file mode 100644 index 000000000..0230b6f86 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/NOTES.txt @@ -0,0 +1,4 @@ +Install for a remote cluster using an external control plane. + +The templates in this directory are copies of base and istio-discovery templates. +DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/resources/v1.23.3/charts/istiod-remote/files/gateway-injection-template.yaml b/resources/v1.23.3/charts/istiod-remote/files/gateway-injection-template.yaml new file mode 100644 index 000000000..97ffb71f2 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/gateway-injection-template.yaml @@ -0,0 +1,250 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/files/injection-template.yaml b/resources/v1.23.3/charts/istiod-remote/files/injection-template.yaml new file mode 100644 index 000000000..9cfe4b6b5 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/injection-template.yaml @@ -0,0 +1,545 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ .ProxyUID | default "1337" | quote }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsUser: {{ .ProxyUID | default "1337" }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - mountPath: /var/run/secrets/istio/kubernetes + name: kube-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - name: kube-ca-cert + configMap: + name: kube-root-ca.crt + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-ambient.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-ambient.yaml new file mode 100644 index 000000000..22db03309 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-ambient.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..72fdd5b3c --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-demo.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-openshift-ambient.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..df4532d11 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-openshift-ambient.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-openshift.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-preview.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.3/charts/istiod-remote/files/profile-stable.yaml b/resources/v1.23.3/charts/istiod-remote/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.23.3/charts/istiod-remote/templates/_helpers.tpl b/resources/v1.23.3/charts/istiod-remote/templates/_helpers.tpl new file mode 100644 index 000000000..47b89a403 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} \ No newline at end of file diff --git a/resources/v1.23.3/charts/istiod-remote/templates/clusterrole.yaml b/resources/v1.23.3/charts/istiod-remote/templates/clusterrole.yaml new file mode 100644 index 000000000..324979f44 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/clusterrole.yaml @@ -0,0 +1,163 @@ +{{- if .Values.global.configCluster }} +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] + + # Needed because status reporter sets the config map owner reference to the istiod pod + - apiGroups: [""] + verbs: ["update"] + resources: ["pods/finalizers"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch" ] + resources: [ "serviceentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.pilot.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/clusterrolebinding.yaml b/resources/v1.23.3/charts/istiod-remote/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..932cdce02 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/clusterrolebinding.yaml @@ -0,0 +1,35 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/configmap.yaml b/resources/v1.23.3/charts/istiod-remote/templates/configmap.yaml new file mode 100644 index 000000000..b7f11e23c --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/configmap.yaml @@ -0,0 +1,112 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/default.yaml b/resources/v1.23.3/charts/istiod-remote/templates/default.yaml new file mode 100644 index 000000000..d1a2bce11 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/default.yaml @@ -0,0 +1,56 @@ +{{- if .Values.global.configCluster }} +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml b/resources/v1.23.3/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml new file mode 100644 index 000000000..4c1f85695 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.configCluster }} +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/endpoints.yaml b/resources/v1.23.3/charts/istiod-remote/templates/endpoints.yaml new file mode 100644 index 000000000..36575202d --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/endpoints.yaml @@ -0,0 +1,23 @@ +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# if the remotePilotAddress is an IP addr +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.pilot.enabled }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/resources/v1.23.3/charts/istiod-remote/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..2d6ed8849 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/istiod-injector-configmap.yaml @@ -0,0 +1,80 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values.pilot "cni" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/mutatingwebhook.yaml b/resources/v1.23.3/charts/istiod-remote/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..63d21a296 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/mutatingwebhook.yaml @@ -0,0 +1,158 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrole.yaml b/resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..68f8105bd --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrole.yaml @@ -0,0 +1,60 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/reader-serviceaccount.yaml b/resources/v1.23.3/charts/istiod-remote/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/role.yaml b/resources/v1.23.3/charts/istiod-remote/templates/role.yaml new file mode 100644 index 000000000..c3af8c075 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/rolebinding.yaml b/resources/v1.23.3/charts/istiod-remote/templates/rolebinding.yaml new file mode 100644 index 000000000..f65b3b122 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/serviceaccount.yaml b/resources/v1.23.3/charts/istiod-remote/templates/serviceaccount.yaml new file mode 100644 index 000000000..7fe2e4ad3 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.configCluster }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + {{- if .Values.pilot.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.pilot.serviceAccountAnnotations | indent 4 }} + {{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/services.yaml b/resources/v1.23.3/charts/istiod-remote/templates/services.yaml new file mode 100644 index 000000000..fc1fa1a2f --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.pilot.enabled }} + # when local istiod is enabled, we can't use istiod service name to reach the remote control plane + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/validatingadmissionpolicy.yaml b/resources/v1.23.3/charts/istiod-remote/templates/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..9cdb5b075 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,59 @@ +{{- if .Values.global.configCluster }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/resources/v1.23.3/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..f91ccd1b7 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,65 @@ +{{- if .Values.global.configCluster }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod-remote/templates/zzz_profile.yaml b/resources/v1.23.3/charts/istiod-remote/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.3/charts/istiod-remote/values.yaml b/resources/v1.23.3/charts/istiod-remote/values.yaml new file mode 100644 index 000000000..7a8b26408 --- /dev/null +++ b/resources/v1.23.3/charts/istiod-remote/values.yaml @@ -0,0 +1,444 @@ +# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. +defaults: + #.Values.pilot for discovery and mesh wide config + + ## Discovery Settings + pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + hub: "" + tag: "" + variant: "" + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + # Additional container arguments + extraContainerArgs: [] + env: {} + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + affinity: {} + tolerations: [] + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + # Additional volumes to the istiod pod + volumes: [] + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + topologySpreadConstraints: [] + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + # Additional labels to apply to the deployment. + deploymentLabels: {} + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: false + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + rewriteAppHTTPProbe: true + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + injectionCABundle: "" + telemetry: + enabled: false + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + # For Helm compatibility. + ownerName: "" + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + experimental: + stableValidationPolicy: false + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.23.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + omitSidecarInjectorConfigMap: true + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + proxy: + image: proxyv2 + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + # The period between readiness probes. + readinessPeriodSeconds: 15 + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: true + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + # whether to use autoscaling/v2 template for HPA settings + # for internal usage only, not to be configured by users. + autoscalingv2API: true + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + # `istio_cni` has been deprecated and will be removed in a future release. use `pilot.cni` instead + istio_cni: + # `chained` has been deprecated and will be removed in a future release. use `provider` instead + chained: true + provider: default + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} diff --git a/resources/v1.23.3/charts/istiod/Chart.yaml b/resources/v1.23.3/charts/istiod/Chart.yaml new file mode 100644 index 000000000..287fe5812 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.23.3 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.23.3 diff --git a/resources/v1.23.3/charts/istiod/README.md b/resources/v1.23.3/charts/istiod/README.md new file mode 100644 index 000000000..ddbfbc8fe --- /dev/null +++ b/resources/v1.23.3/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/resources/v1.23.3/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.23.3/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 000000000..97ffb71f2 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,250 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.23.3/charts/istiod/files/grpc-agent.yaml b/resources/v1.23.3/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 000000000..7290fcdca --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,310 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.23.3/charts/istiod/files/grpc-simple.yaml b/resources/v1.23.3/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 000000000..9ba0c7a46 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/resources/v1.23.3/charts/istiod/files/injection-template.yaml b/resources/v1.23.3/charts/istiod/files/injection-template.yaml new file mode 100644 index 000000000..9cfe4b6b5 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/injection-template.yaml @@ -0,0 +1,545 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} + {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ .ProxyUID | default "1337" | quote }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsUser: {{ .ProxyUID | default "1337" }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - mountPath: /var/run/secrets/istio/kubernetes + name: kube-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if eq .Values.global.pilotCertProvider "kubernetes" }} + - name: kube-ca-cert + configMap: + name: kube-root-ca.crt + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.23.3/charts/istiod/files/kube-gateway.yaml b/resources/v1.23.3/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 000000000..976568854 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,346 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- diff --git a/resources/v1.23.3/charts/istiod/files/profile-ambient.yaml b/resources/v1.23.3/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 000000000..22db03309 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..72fdd5b3c --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.3/charts/istiod/files/profile-demo.yaml b/resources/v1.23.3/charts/istiod/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.23.3/charts/istiod/files/profile-openshift-ambient.yaml b/resources/v1.23.3/charts/istiod/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..df4532d11 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-openshift-ambient.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t diff --git a/resources/v1.23.3/charts/istiod/files/profile-openshift.yaml b/resources/v1.23.3/charts/istiod/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.23.3/charts/istiod/files/profile-preview.yaml b/resources/v1.23.3/charts/istiod/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.3/charts/istiod/files/profile-stable.yaml b/resources/v1.23.3/charts/istiod/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.23.3/charts/istiod/files/waypoint.yaml b/resources/v1.23.3/charts/istiod/files/waypoint.yaml new file mode 100644 index 000000000..799896b2f --- /dev/null +++ b/resources/v1.23.3/charts/istiod/files/waypoint.yaml @@ -0,0 +1,312 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + runAsGroup: 1337 + runAsUser: 1337 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "istio.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- diff --git a/resources/v1.23.3/charts/istiod/templates/NOTES.txt b/resources/v1.23.3/charts/istiod/templates/NOTES.txt new file mode 100644 index 000000000..2cee67587 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/NOTES.txt @@ -0,0 +1,79 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/_helpers.tpl b/resources/v1.23.3/charts/istiod/templates/_helpers.tpl new file mode 100644 index 000000000..47b89a403 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} \ No newline at end of file diff --git a/resources/v1.23.3/charts/istiod/templates/autoscale.yaml b/resources/v1.23.3/charts/istiod/templates/autoscale.yaml new file mode 100644 index 000000000..91311d08d --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} + {{- if .Values.pilot.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.pilot.autoscaleBehavior }} + behavior: {{ toYaml .Values.pilot.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/clusterrole.yaml b/resources/v1.23.3/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 000000000..013a7c18e --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,161 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] + + # Needed because status reporter sets the config map owner reference to the istiod pod + - apiGroups: [""] + verbs: ["update"] + resources: ["pods/finalizers"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch" ] + resources: [ "serviceentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.pilot.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.23.3/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..f6e425210 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} \ No newline at end of file diff --git a/resources/v1.23.3/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.23.3/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 000000000..b4c49dfa7 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pilot.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +data: + extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/configmap.yaml b/resources/v1.23.3/charts/istiod/templates/configmap.yaml new file mode 100644 index 000000000..b7f11e23c --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/configmap.yaml @@ -0,0 +1,112 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/deployment.yaml b/resources/v1.23.3/charts/istiod/templates/deployment.yaml new file mode 100644 index 000000000..940c49a8e --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/deployment.yaml @@ -0,0 +1,271 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} +{{- range $key, $val := .Values.pilot.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.pilot.autoscaleEnabled }} +{{- if .Values.pilot.replicaCount }} + replicas: {{ .Values.pilot.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.pilot.rollingMaxSurge }} + maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.pilot.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.pilot.podAnnotations }} +{{ toYaml .Values.pilot.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.pilot.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pilot.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.pilot.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.pilot.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.pilot.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.pilot.taint.namespace }} + - --cniNamespace={{ .Values.pilot.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" +{{- if .Values.pilot.extraContainerArgs }} + {{- with .Values.pilot.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.pilot.trustedZtunnelNamespace .Release.Namespace }} + {{- if not .Values.pilot.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/ztunnel" + {{- end }} + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.pilot.env .Values.pilot.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PLATFORM + value: "{{ .Values.global.platform }}" + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.pilot.seccompProfile }} + seccompProfile: +{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.pilot.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + configMap: + name: istio-ca-root-cert + defaultMode: 420 + optional: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.pilot.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- diff --git a/resources/v1.23.3/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.23.3/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..2d6ed8849 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,80 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values.pilot "cni" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.23.3/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..63d21a296 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,158 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.23.3/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..ce61de5a9 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.23.3/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..68f8105bd --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,60 @@ +{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/resources/v1.23.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.23.3/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.23.3/charts/istiod/templates/revision-tags.yaml b/resources/v1.23.3/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 000000000..be80804bc --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,141 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/role.yaml b/resources/v1.23.3/charts/istiod/templates/role.yaml new file mode 100644 index 000000000..195bdde40 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] diff --git a/resources/v1.23.3/charts/istiod/templates/rolebinding.yaml b/resources/v1.23.3/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 000000000..0d700f008 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.23.3/charts/istiod/templates/service.yaml b/resources/v1.23.3/charts/istiod/templates/service.yaml new file mode 100644 index 000000000..208e83561 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/service.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.pilot.serviceAnnotations }} + annotations: +{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.pilot.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.pilot.ipFamilyPolicy }} + {{- end }} + {{- if .Values.pilot.ipFamilies }} + ipFamilies: + {{- range .Values.pilot.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- diff --git a/resources/v1.23.3/charts/istiod/templates/serviceaccount.yaml b/resources/v1.23.3/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec6db3968 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + {{- if .Values.pilot.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.pilot.serviceAccountAnnotations | indent 4 }} + {{- end }} +--- diff --git a/resources/v1.23.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.23.3/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..a5cc41876 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,57 @@ +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.23.3/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..b6ad87aa9 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,63 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} diff --git a/resources/v1.23.3/charts/istiod/templates/zzz_profile.yaml b/resources/v1.23.3/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.23.3/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.3/charts/istiod/values.yaml b/resources/v1.23.3/charts/istiod/values.yaml new file mode 100644 index 000000000..24e3531af --- /dev/null +++ b/resources/v1.23.3/charts/istiod/values.yaml @@ -0,0 +1,525 @@ +# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. +defaults: + #.Values.pilot for discovery and mesh wide config + + ## Discovery Settings + pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.23.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + # whether to use autoscaling/v2 template for HPA settings + # for internal usage only, not to be configured by users. + autoscalingv2API: true + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # `istio_cni` has been deprecated and will be removed in a future release. use `pilot.cni` instead + istio_cni: + # `chained` has been deprecated and will be removed in a future release. use `provider` instead + chained: true + provider: default + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} diff --git a/resources/v1.23.3/charts/ztunnel/Chart.yaml b/resources/v1.23.3/charts/ztunnel/Chart.yaml new file mode 100644 index 000000000..9d240cd16 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.23.3 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.23.3 diff --git a/resources/v1.23.3/charts/ztunnel/README.md b/resources/v1.23.3/charts/ztunnel/README.md new file mode 100644 index 000000000..ffe0b94fe --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 000000000..22db03309 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..72fdd5b3c --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-demo.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..df4532d11 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-openshift-ambient.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-preview.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.3/charts/ztunnel/files/profile-stable.yaml b/resources/v1.23.3/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.23.3/charts/ztunnel/templates/NOTES.txt b/resources/v1.23.3/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 000000000..244f59db0 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.23.3/charts/ztunnel/templates/_helpers.tpl b/resources/v1.23.3/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 000000000..5ef0d0e40 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1,10 @@ +{{- define "istio-labels" }} + app.kubernetes.io/name: ztunnel + {{- if .Release.Service }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- end }} + {{- if .Release.Name}} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + app.kubernetes.io/part-of: istio +{{- end }} diff --git a/resources/v1.23.3/charts/ztunnel/templates/daemonset.yaml b/resources/v1.23.3/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 000000000..fbab95161 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,187 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: ztunnel + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/resources/v1.23.3/charts/ztunnel/templates/rbac.yaml b/resources/v1.23.3/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 000000000..f2b0fd005 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq .Values.platform "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ztunnel + labels: + app: ztunnel + release: {{ .Release.Name }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ztunnel + labels: + app: ztunnel + release: {{ .Release.Name }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ztunnel +subjects: +- kind: ServiceAccount + name: ztunnel + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/resources/v1.23.3/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.23.3/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 000000000..752a7f375 --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.3/charts/ztunnel/values.yaml b/resources/v1.23.3/charts/ztunnel/values.yaml new file mode 100644 index 000000000..7884c238b --- /dev/null +++ b/resources/v1.23.3/charts/ztunnel/values.yaml @@ -0,0 +1,95 @@ +# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. +defaults: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: docker.io/istio + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.23.3 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t diff --git a/resources/v1.23.3/profiles/ambient.yaml b/resources/v1.23.3/profiles/ambient.yaml new file mode 100644 index 000000000..ddaaa4415 --- /dev/null +++ b/resources/v1.23.3/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: ambient diff --git a/resources/v1.23.3/profiles/default.yaml b/resources/v1.23.3/profiles/default.yaml new file mode 100644 index 000000000..1f44cc310 --- /dev/null +++ b/resources/v1.23.3/profiles/default.yaml @@ -0,0 +1,10 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true diff --git a/resources/v1.23.3/profiles/demo.yaml b/resources/v1.23.3/profiles/demo.yaml new file mode 100644 index 000000000..fad37e4c2 --- /dev/null +++ b/resources/v1.23.3/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: demo diff --git a/resources/v1.23.3/profiles/empty.yaml b/resources/v1.23.3/profiles/empty.yaml new file mode 100644 index 000000000..01052de7f --- /dev/null +++ b/resources/v1.23.3/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/resources/v1.23.3/profiles/openshift-ambient.yaml b/resources/v1.23.3/profiles/openshift-ambient.yaml new file mode 100644 index 000000000..a30b2099b --- /dev/null +++ b/resources/v1.23.3/profiles/openshift-ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: openshift-ambient diff --git a/resources/v1.23.3/profiles/openshift.yaml b/resources/v1.23.3/profiles/openshift.yaml new file mode 100644 index 000000000..a75886e87 --- /dev/null +++ b/resources/v1.23.3/profiles/openshift.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: openshift diff --git a/resources/v1.23.3/profiles/preview.yaml b/resources/v1.23.3/profiles/preview.yaml new file mode 100644 index 000000000..485687d6a --- /dev/null +++ b/resources/v1.23.3/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: preview diff --git a/resources/v1.23.3/profiles/remote.yaml b/resources/v1.23.3/profiles/remote.yaml new file mode 100644 index 000000000..d72fd66e4 --- /dev/null +++ b/resources/v1.23.3/profiles/remote.yaml @@ -0,0 +1,5 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/resources/v1.23.3/profiles/stable.yaml b/resources/v1.23.3/profiles/stable.yaml new file mode 100644 index 000000000..594344792 --- /dev/null +++ b/resources/v1.23.3/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: stable diff --git a/versions.yaml b/versions.yaml index e42e1851a..338369799 100644 --- a/versions.yaml +++ b/versions.yaml @@ -11,6 +11,17 @@ # go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), # as well as all the Istio CRDs (e.g. VirtualService). versions: + - name: v1.23.3 + version: 1.23.3 + repo: https://github.com/istio/istio + commit: 1.23.3 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.23.3.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.23.3.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.3.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.23.3.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.23.3.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.3.tgz - name: v1.23.2 version: 1.23.2 repo: https://github.com/istio/istio @@ -22,6 +33,16 @@ versions: - https://istio-release.storage.googleapis.com/charts/gateway-1.23.2.tgz - https://istio-release.storage.googleapis.com/charts/cni-1.23.2.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.2.tgz + - name: v1.22.6 + version: 1.22.6 + repo: https://github.com/istio/istio + commit: 1.22.6 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.22.6.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.22.6.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.22.6.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.22.6.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.22.6.tgz - name: v1.22.5 version: 1.22.5 repo: https://github.com/istio/istio @@ -43,13 +64,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec + version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e repo: https://github.com/istio/istio branch: master - commit: bb972b546125d3f001cc11114e9fc95486b891ec + commit: b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec/helm/base-1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec/helm/cni-1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec/helm/gateway-1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec/helm/istiod-1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec/helm/ztunnel-1.24-alpha.bb972b546125d3f001cc11114e9fc95486b891ec.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/base-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/cni-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/gateway-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/istiod-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/ztunnel-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz From 9bde6d6bcc1bf6bc9c224ab5986ed8bd5d6908a6 Mon Sep 17 00:00:00 2001 From: openshift-service-mesh-bot <165402251+openshift-service-mesh-bot@users.noreply.github.com> Date: Wed, 13 Nov 2024 06:22:33 +0100 Subject: [PATCH 10/11] Automator: Update dependencies in istio-ecosystem/sail-operator@main (#475) Signed-off-by: openshift-service-mesh-bot --- .../sailoperator.clusterserviceversion.yaml | 20 +++++++++---------- chart/values.yaml | 2 +- go.mod | 2 +- go.sum | 4 ++-- resources/latest/charts/base/Chart.yaml | 4 ++-- resources/latest/charts/cni/Chart.yaml | 4 ++-- resources/latest/charts/cni/values.yaml | 2 +- resources/latest/charts/gateway/Chart.yaml | 4 ++-- resources/latest/charts/istiod/Chart.yaml | 4 ++-- resources/latest/charts/istiod/values.yaml | 2 +- resources/latest/charts/ztunnel/Chart.yaml | 4 ++-- resources/latest/charts/ztunnel/values.yaml | 2 +- versions.yaml | 14 ++++++------- 13 files changed, 34 insertions(+), 34 deletions(-) diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 5ac188adf..1e23f1b41 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-11-12T12:00:34Z" + createdAt: "2024-11-13T05:05:11Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -311,7 +311,7 @@ spec: - v1.22.6 - v1.22.5 - v1.21.6 - - latest (b1ee384c) + - latest (56697886) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -535,10 +535,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e - images.latest.istiod: gcr.io/istio-testing/pilot:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + images.latest.cni: gcr.io/istio-testing/install-cni:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a + images.latest.istiod: gcr.io/istio-testing/pilot:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -711,13 +711,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + - image: gcr.io/istio-testing/install-cni:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a name: latest.cni - - image: gcr.io/istio-testing/pilot:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + - image: gcr.io/istio-testing/pilot:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + - image: gcr.io/istio-testing/proxyv2:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + - image: gcr.io/istio-testing/ztunnel:1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/chart/values.yaml b/chart/values.yaml index eaa244e9a..098945812 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -23,7 +23,7 @@ csv: - v1.22.6 - v1.22.5 - v1.21.6 - - latest (b1ee384c) + - latest (56697886) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/go.mod b/go.mod index 6dda0fdd9..0e7d3f598 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.2 istio.io/client-go v1.24.0-alpha.0.0.20241108002529-3f60d583a76f - istio.io/istio v0.0.0-20241111230131-b1ee384c11f0 + istio.io/istio v0.0.0-20241112161631-566978861e4b k8s.io/api v0.31.2 k8s.io/apiextensions-apiserver v0.31.2 k8s.io/apimachinery v0.31.2 diff --git a/go.sum b/go.sum index 5329da4d6..7daa1fd80 100644 --- a/go.sum +++ b/go.sum @@ -493,8 +493,8 @@ istio.io/api v1.24.0-alpha.0.0.20241108002229-2cc3366cdb03 h1:7NuB6aHrjm7P+4SbF3 istio.io/api v1.24.0-alpha.0.0.20241108002229-2cc3366cdb03/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= istio.io/client-go v1.24.0-alpha.0.0.20241108002529-3f60d583a76f h1:Izd771gSJV+9kdXhMfnBaLyWFonjBguy4bsxCa9CK/g= istio.io/client-go v1.24.0-alpha.0.0.20241108002529-3f60d583a76f/go.mod h1:wdQxjAxPBg0jDH3GvXx7ldB6pG4gUqRBPxxQ/XhWxBk= -istio.io/istio v0.0.0-20241111230131-b1ee384c11f0 h1:FaOZ/bSRC4AIr8rezKiECQjSBjDjSxyQvY2QVSkuecg= -istio.io/istio v0.0.0-20241111230131-b1ee384c11f0/go.mod h1:w3lBWR9O0hbjfpx4HirXZ/xKmej/M1Qe7KYYI7P4jDk= +istio.io/istio v0.0.0-20241112161631-566978861e4b h1:E5/gVKPSDhqGfJbNaw6DPc4gcihLXoo8l7HNURTqr4A= +istio.io/istio v0.0.0-20241112161631-566978861e4b/go.mod h1:w3lBWR9O0hbjfpx4HirXZ/xKmej/M1Qe7KYYI7P4jDk= k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index e71e6356f..26c6864bf 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +appVersion: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +version: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 9ad208aa5..d277cfd4c 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +appVersion: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +version: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index afcbc73c4..04f1c2c84 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -115,7 +115,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + tag: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index 5647479de..a94a9c634 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +appVersion: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +version: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index 4378d7433..cf638bae9 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +appVersion: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +version: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index c70fadacd..c5fa19f42 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + tag: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 2c832bc2b..69a450490 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +appVersion: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e +version: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index 5af7cfa2e..dd1261aa5 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + tag: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 338369799..3924e7f09 100644 --- a/versions.yaml +++ b/versions.yaml @@ -64,13 +64,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + version: 1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a repo: https://github.com/istio/istio branch: master - commit: b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e + commit: 566978861e4b7cd7f8f855f15280ede0b05af93a charts: - - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/base-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz - - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/cni-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz - - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/gateway-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz - - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/istiod-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz - - https://storage.googleapis.com/istio-build/dev/1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e/helm/ztunnel-1.25-alpha.b1ee384c11f0c7da78ccc9f206c0f6f55ded4f3e.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a/helm/base-1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a/helm/cni-1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a/helm/gateway-1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a/helm/istiod-1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a.tgz + - https://storage.googleapis.com/istio-build/dev/1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a/helm/ztunnel-1.25-alpha.566978861e4b7cd7f8f855f15280ede0b05af93a.tgz From 94b6c4732cb196e7a07100dc98a86f78cfccc46c Mon Sep 17 00:00:00 2001 From: Daniel Grimm Date: Wed, 13 Nov 2024 07:32:32 +0100 Subject: [PATCH 11/11] Add 1.24.0 (#474) Signed-off-by: Daniel Grimm Co-authored-by: Filip Brychta --- api/v1alpha1/istio_types.go | 10 +- api/v1alpha1/istiocni_types.go | 10 +- api/v1alpha1/istiorevision_types.go | 6 +- .../sailoperator.clusterserviceversion.yaml | 28 +- .../manifests/sailoperator.io_istiocnis.yaml | 7 +- .../sailoperator.io_istiorevisions.yaml | 3 +- bundle/manifests/sailoperator.io_istios.yaml | 7 +- chart/crds/sailoperator.io_istiocnis.yaml | 7 +- .../crds/sailoperator.io_istiorevisions.yaml | 3 +- chart/crds/sailoperator.io_istios.yaml | 7 +- chart/samples/istio-sample-kubernetes.yaml | 2 +- chart/samples/istio-sample-openshift.yaml | 2 +- chart/samples/istiocni-sample.yaml | 2 +- chart/values.yaml | 1 + docs/api-reference/sailoperator.io.md | 10 +- resources/v1.24.0/charts/base/Chart.yaml | 10 + resources/v1.24.0/charts/base/README.md | 35 + .../charts/base/files/crd-all.gen.yaml | 17063 ++++++++++++++++ .../charts/base/files/profile-ambient.yaml | 17 + .../profile-compatibility-version-1.21.yaml | 33 + .../profile-compatibility-version-1.22.yaml | 26 + .../profile-compatibility-version-1.23.yaml | 19 + .../charts/base/files/profile-demo.yaml | 90 + .../base/files/profile-platform-k3d.yaml | 7 + .../base/files/profile-platform-k3s.yaml | 7 + .../base/files/profile-platform-microk8s.yaml | 7 + .../base/files/profile-platform-minikube.yaml | 6 + .../files/profile-platform-openshift.yaml | 19 + .../charts/base/files/profile-preview.yaml | 13 + .../charts/base/files/profile-remote.yaml | 13 + .../charts/base/files/profile-stable.yaml | 8 + .../v1.24.0/charts/base/templates/NOTES.txt | 5 + .../v1.24.0/charts/base/templates/crds.yaml | 21 + ...ultrevision-validatingadmissionpolicy.yaml | 53 + ...vision-validatingwebhookconfiguration.yaml | 56 + .../base/templates/reader-serviceaccount.yaml | 20 + .../charts/base/templates/zzz_profile.yaml | 74 + resources/v1.24.0/charts/base/values.yaml | 42 + resources/v1.24.0/charts/cni/Chart.yaml | 11 + resources/v1.24.0/charts/cni/README.md | 65 + .../charts/cni/files/profile-ambient.yaml | 17 + .../profile-compatibility-version-1.21.yaml | 33 + .../profile-compatibility-version-1.22.yaml | 26 + .../profile-compatibility-version-1.23.yaml | 19 + .../charts/cni/files/profile-demo.yaml | 90 + .../cni/files/profile-platform-k3d.yaml | 7 + .../cni/files/profile-platform-k3s.yaml | 7 + .../cni/files/profile-platform-microk8s.yaml | 7 + .../cni/files/profile-platform-minikube.yaml | 6 + .../cni/files/profile-platform-openshift.yaml | 19 + .../charts/cni/files/profile-preview.yaml | 13 + .../charts/cni/files/profile-remote.yaml | 13 + .../charts/cni/files/profile-stable.yaml | 8 + .../v1.24.0/charts/cni/templates/NOTES.txt | 5 + .../v1.24.0/charts/cni/templates/_helpers.tpl | 8 + .../charts/cni/templates/clusterrole.yaml | 80 + .../cni/templates/clusterrolebinding.yaml | 66 + .../charts/cni/templates/configmap-cni.yaml | 35 + .../charts/cni/templates/daemonset.yaml | 219 + .../network-attachment-definition.yaml | 11 + .../charts/cni/templates/resourcequota.yaml | 19 + .../charts/cni/templates/serviceaccount.yaml | 19 + .../cni/templates/zzy_descope_legacy.yaml | 3 + .../charts/cni/templates/zzz_profile.yaml | 74 + resources/v1.24.0/charts/cni/values.yaml | 149 + resources/v1.24.0/charts/gateway/Chart.yaml | 12 + resources/v1.24.0/charts/gateway/README.md | 170 + .../charts/gateway/files/profile-ambient.yaml | 17 + .../profile-compatibility-version-1.21.yaml | 33 + .../profile-compatibility-version-1.22.yaml | 26 + .../profile-compatibility-version-1.23.yaml | 19 + .../charts/gateway/files/profile-demo.yaml | 90 + .../gateway/files/profile-platform-k3d.yaml | 7 + .../gateway/files/profile-platform-k3s.yaml | 7 + .../files/profile-platform-microk8s.yaml | 7 + .../files/profile-platform-minikube.yaml | 6 + .../files/profile-platform-openshift.yaml | 19 + .../charts/gateway/files/profile-preview.yaml | 13 + .../charts/gateway/files/profile-remote.yaml | 13 + .../charts/gateway/files/profile-stable.yaml | 8 + .../charts/gateway/templates/NOTES.txt | 9 + .../charts/gateway/templates/_helpers.tpl | 40 + .../charts/gateway/templates/deployment.yaml | 128 + .../v1.24.0/charts/gateway/templates/hpa.yaml | 40 + .../templates/poddisruptionbudget.yaml | 18 + .../charts/gateway/templates/role.yaml | 37 + .../charts/gateway/templates/service.yaml | 66 + .../gateway/templates/serviceaccount.yaml | 15 + .../charts/gateway/templates/zzz_profile.yaml | 74 + .../v1.24.0/charts/gateway/values.schema.json | 310 + resources/v1.24.0/charts/gateway/values.yaml | 166 + resources/v1.24.0/charts/istiod/Chart.yaml | 12 + resources/v1.24.0/charts/istiod/README.md | 73 + .../files/gateway-injection-template.yaml | 250 + .../charts/istiod/files/grpc-agent.yaml | 310 + .../charts/istiod/files/grpc-simple.yaml | 65 + .../istiod/files/injection-template.yaml | 510 + .../charts/istiod/files/kube-gateway.yaml | 345 + .../charts/istiod/files/profile-ambient.yaml | 17 + .../profile-compatibility-version-1.21.yaml | 33 + .../profile-compatibility-version-1.22.yaml | 26 + .../profile-compatibility-version-1.23.yaml | 19 + .../charts/istiod/files/profile-demo.yaml | 90 + .../istiod/files/profile-platform-k3d.yaml | 7 + .../istiod/files/profile-platform-k3s.yaml | 7 + .../files/profile-platform-microk8s.yaml | 7 + .../files/profile-platform-minikube.yaml | 6 + .../files/profile-platform-openshift.yaml | 19 + .../charts/istiod/files/profile-preview.yaml | 13 + .../charts/istiod/files/profile-remote.yaml | 13 + .../charts/istiod/files/profile-stable.yaml | 8 + .../v1.24.0/charts/istiod/files/waypoint.yaml | 333 + .../v1.24.0/charts/istiod/templates/NOTES.txt | 82 + .../charts/istiod/templates/_helpers.tpl | 23 + .../charts/istiod/templates/autoscale.yaml | 44 + .../charts/istiod/templates/clusterrole.yaml | 187 + .../istiod/templates/clusterrolebinding.yaml | 40 + .../istiod/templates/configmap-jwks.yaml | 19 + .../charts/istiod/templates/configmap.yaml | 110 + .../charts/istiod/templates/deployment.yaml | 292 + .../templates/istiod-injector-configmap.yaml | 82 + .../istiod/templates/mutatingwebhook.yaml | 165 + .../istiod/templates/poddisruptionbudget.yaml | 30 + .../istiod/templates/reader-clusterrole.yaml | 62 + .../templates/reader-clusterrolebinding.yaml | 17 + .../templates/remote-istiod-endpoints.yaml | 25 + .../templates/remote-istiod-service.yaml | 35 + .../istiod/templates/revision-tags.yaml | 151 + .../v1.24.0/charts/istiod/templates/role.yaml | 35 + .../charts/istiod/templates/rolebinding.yaml | 21 + .../charts/istiod/templates/service.yaml | 55 + .../istiod/templates/serviceaccount.yaml | 24 + .../templates/validatingadmissionpolicy.yaml | 63 + .../validatingwebhookconfiguration.yaml | 68 + .../istiod/templates/zzy_descope_legacy.yaml | 3 + .../charts/istiod/templates/zzz_profile.yaml | 74 + resources/v1.24.0/charts/istiod/values.yaml | 539 + resources/v1.24.0/charts/ztunnel/Chart.yaml | 11 + resources/v1.24.0/charts/ztunnel/README.md | 50 + .../charts/ztunnel/files/profile-ambient.yaml | 17 + .../profile-compatibility-version-1.21.yaml | 33 + .../profile-compatibility-version-1.22.yaml | 26 + .../profile-compatibility-version-1.23.yaml | 19 + .../charts/ztunnel/files/profile-demo.yaml | 90 + .../ztunnel/files/profile-platform-k3d.yaml | 7 + .../ztunnel/files/profile-platform-k3s.yaml | 7 + .../files/profile-platform-microk8s.yaml | 7 + .../files/profile-platform-minikube.yaml | 6 + .../files/profile-platform-openshift.yaml | 19 + .../charts/ztunnel/files/profile-preview.yaml | 13 + .../charts/ztunnel/files/profile-remote.yaml | 13 + .../charts/ztunnel/files/profile-stable.yaml | 8 + .../charts/ztunnel/templates/NOTES.txt | 5 + .../charts/ztunnel/templates/daemonset.yaml | 197 + .../charts/ztunnel/templates/rbac.yaml | 74 + .../charts/ztunnel/templates/zzz_profile.yaml | 74 + resources/v1.24.0/charts/ztunnel/values.yaml | 98 + resources/v1.24.0/profiles/ambient.yaml | 5 + resources/v1.24.0/profiles/default.yaml | 10 + resources/v1.24.0/profiles/demo.yaml | 5 + resources/v1.24.0/profiles/empty.yaml | 5 + .../v1.24.0/profiles/openshift-ambient.yaml | 7 + resources/v1.24.0/profiles/openshift.yaml | 6 + resources/v1.24.0/profiles/preview.yaml | 8 + resources/v1.24.0/profiles/remote.yaml | 7 + resources/v1.24.0/profiles/stable.yaml | 5 + versions.yaml | 10 + 167 files changed, 25338 insertions(+), 41 deletions(-) create mode 100644 resources/v1.24.0/charts/base/Chart.yaml create mode 100644 resources/v1.24.0/charts/base/README.md create mode 100644 resources/v1.24.0/charts/base/files/crd-all.gen.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-ambient.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-compatibility-version-1.23.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-demo.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-platform-k3d.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-platform-k3s.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-platform-microk8s.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-platform-minikube.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-platform-openshift.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-preview.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-remote.yaml create mode 100644 resources/v1.24.0/charts/base/files/profile-stable.yaml create mode 100644 resources/v1.24.0/charts/base/templates/NOTES.txt create mode 100644 resources/v1.24.0/charts/base/templates/crds.yaml create mode 100644 resources/v1.24.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml create mode 100644 resources/v1.24.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml create mode 100644 resources/v1.24.0/charts/base/templates/reader-serviceaccount.yaml create mode 100644 resources/v1.24.0/charts/base/templates/zzz_profile.yaml create mode 100644 resources/v1.24.0/charts/base/values.yaml create mode 100644 resources/v1.24.0/charts/cni/Chart.yaml create mode 100644 resources/v1.24.0/charts/cni/README.md create mode 100644 resources/v1.24.0/charts/cni/files/profile-ambient.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.23.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-demo.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-platform-k3d.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-platform-k3s.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-platform-microk8s.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-platform-minikube.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-platform-openshift.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-preview.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-remote.yaml create mode 100644 resources/v1.24.0/charts/cni/files/profile-stable.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/NOTES.txt create mode 100644 resources/v1.24.0/charts/cni/templates/_helpers.tpl create mode 100644 resources/v1.24.0/charts/cni/templates/clusterrole.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/clusterrolebinding.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/configmap-cni.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/daemonset.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/network-attachment-definition.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/resourcequota.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/serviceaccount.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/zzy_descope_legacy.yaml create mode 100644 resources/v1.24.0/charts/cni/templates/zzz_profile.yaml create mode 100644 resources/v1.24.0/charts/cni/values.yaml create mode 100644 resources/v1.24.0/charts/gateway/Chart.yaml create mode 100644 resources/v1.24.0/charts/gateway/README.md create mode 100644 resources/v1.24.0/charts/gateway/files/profile-ambient.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.23.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-demo.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-platform-k3d.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-platform-k3s.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-platform-microk8s.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-platform-minikube.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-platform-openshift.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-preview.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-remote.yaml create mode 100644 resources/v1.24.0/charts/gateway/files/profile-stable.yaml create mode 100644 resources/v1.24.0/charts/gateway/templates/NOTES.txt create mode 100644 resources/v1.24.0/charts/gateway/templates/_helpers.tpl create mode 100644 resources/v1.24.0/charts/gateway/templates/deployment.yaml create mode 100644 resources/v1.24.0/charts/gateway/templates/hpa.yaml create mode 100644 resources/v1.24.0/charts/gateway/templates/poddisruptionbudget.yaml create mode 100644 resources/v1.24.0/charts/gateway/templates/role.yaml create mode 100644 resources/v1.24.0/charts/gateway/templates/service.yaml create mode 100644 resources/v1.24.0/charts/gateway/templates/serviceaccount.yaml create mode 100644 resources/v1.24.0/charts/gateway/templates/zzz_profile.yaml create mode 100644 resources/v1.24.0/charts/gateway/values.schema.json create mode 100644 resources/v1.24.0/charts/gateway/values.yaml create mode 100644 resources/v1.24.0/charts/istiod/Chart.yaml create mode 100644 resources/v1.24.0/charts/istiod/README.md create mode 100644 resources/v1.24.0/charts/istiod/files/gateway-injection-template.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/grpc-agent.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/grpc-simple.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/injection-template.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/kube-gateway.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-ambient.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.23.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-demo.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-platform-k3d.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-platform-k3s.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-platform-microk8s.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-platform-minikube.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-platform-openshift.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-preview.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-remote.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/profile-stable.yaml create mode 100644 resources/v1.24.0/charts/istiod/files/waypoint.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/NOTES.txt create mode 100644 resources/v1.24.0/charts/istiod/templates/_helpers.tpl create mode 100644 resources/v1.24.0/charts/istiod/templates/autoscale.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/clusterrole.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/clusterrolebinding.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/configmap-jwks.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/configmap.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/deployment.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/istiod-injector-configmap.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/mutatingwebhook.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/poddisruptionbudget.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/reader-clusterrole.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/reader-clusterrolebinding.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/remote-istiod-endpoints.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/remote-istiod-service.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/revision-tags.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/role.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/rolebinding.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/service.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/serviceaccount.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/validatingadmissionpolicy.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/validatingwebhookconfiguration.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/zzy_descope_legacy.yaml create mode 100644 resources/v1.24.0/charts/istiod/templates/zzz_profile.yaml create mode 100644 resources/v1.24.0/charts/istiod/values.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/Chart.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/README.md create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-ambient.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.23.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-demo.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-platform-k3d.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-platform-k3s.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-platform-microk8s.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-platform-minikube.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-platform-openshift.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-preview.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-remote.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/files/profile-stable.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/templates/NOTES.txt create mode 100644 resources/v1.24.0/charts/ztunnel/templates/daemonset.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/templates/rbac.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/templates/zzz_profile.yaml create mode 100644 resources/v1.24.0/charts/ztunnel/values.yaml create mode 100644 resources/v1.24.0/profiles/ambient.yaml create mode 100644 resources/v1.24.0/profiles/default.yaml create mode 100644 resources/v1.24.0/profiles/demo.yaml create mode 100644 resources/v1.24.0/profiles/empty.yaml create mode 100644 resources/v1.24.0/profiles/openshift-ambient.yaml create mode 100644 resources/v1.24.0/profiles/openshift.yaml create mode 100644 resources/v1.24.0/profiles/preview.yaml create mode 100644 resources/v1.24.0/profiles/remote.yaml create mode 100644 resources/v1.24.0/profiles/stable.yaml diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index 7ae3909fb..85d47ef3f 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -37,10 +37,10 @@ const ( type IstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest - // +kubebuilder:default=v1.23.3 + // Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.24.0;v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.24.0 Version string `json:"version"` // Defines the update strategy to use when the version in the Istio CR is updated. @@ -261,7 +261,7 @@ type Istio struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.3", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.24.0", namespace: "istio-system", updateStrategy: {type:"InPlace"}} Spec IstioSpec `json:"spec,omitempty"` Status IstioStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go index 401d7d95e..90f20f6a1 100644 --- a/api/v1alpha1/istiocni_types.go +++ b/api/v1alpha1/istiocni_types.go @@ -28,10 +28,10 @@ const ( type IstioCNISpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest - // +kubebuilder:default=v1.23.3 + // Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.24.0;v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.24.0 Version string `json:"version"` // +sail:profile @@ -177,7 +177,7 @@ type IstioCNI struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.3", namespace: "istio-cni"} + // +kubebuilder:default={version: "v1.24.0", namespace: "istio-cni"} Spec IstioCNISpec `json:"spec,omitempty"` Status IstioCNIStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go index c6bf7fdc0..c1143fdfa 100644 --- a/api/v1alpha1/istiorevision_types.go +++ b/api/v1alpha1/istiorevision_types.go @@ -30,9 +30,9 @@ const ( type IstioRevisionSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest + // Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.24.0;v1.23.3;v1.23.2;v1.22.6;v1.22.5;v1.21.6;latest Version string `json:"version"` // Namespace to which the Istio components should be installed. diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 1e23f1b41..17c6eb243 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -16,7 +16,7 @@ metadata: "inactiveRevisionDeletionGracePeriodSeconds": 30, "type": "InPlace" }, - "version": "v1.23.3" + "version": "v1.24.0" } }, { @@ -27,14 +27,14 @@ metadata: }, "spec": { "namespace": "istio-cni", - "version": "v1.23.3" + "version": "v1.24.0" } } ] capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-11-13T05:05:11Z" + createdAt: "2024-11-13T00:09:46Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -160,11 +160,12 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.24.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.3 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 - urn:alm:descriptor:com.tectonic.ui:select:v1.22.6 @@ -200,11 +201,12 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.24.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.3 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 - urn:alm:descriptor:com.tectonic.ui:select:v1.22.6 @@ -248,11 +250,12 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.24.0 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.3 - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 - urn:alm:descriptor:com.tectonic.ui:select:v1.22.6 @@ -306,6 +309,7 @@ spec: This version of the operator supports the following Istio versions: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 @@ -559,6 +563,10 @@ spec: images.v1_23_3.istiod: docker.io/istio/pilot:1.23.3 images.v1_23_3.proxy: docker.io/istio/proxyv2:1.23.3 images.v1_23_3.ztunnel: docker.io/istio/ztunnel:1.23.3 + images.v1_24_0.cni: docker.io/istio/install-cni:1.24.0 + images.v1_24_0.istiod: docker.io/istio/pilot:1.24.0 + images.v1_24_0.proxy: docker.io/istio/proxyv2:1.24.0 + images.v1_24_0.ztunnel: docker.io/istio/ztunnel:1.24.0 kubectl.kubernetes.io/default-container: sail-operator labels: app.kubernetes.io/created-by: sailoperator @@ -759,4 +767,12 @@ spec: name: v1_23_3.proxy - image: docker.io/istio/ztunnel:1.23.3 name: v1_23_3.ztunnel + - image: docker.io/istio/install-cni:1.24.0 + name: v1_24_0.cni + - image: docker.io/istio/pilot:1.24.0 + name: v1_24_0.istiod + - image: docker.io/istio/proxyv2:1.24.0 + name: v1_24_0.proxy + - image: docker.io/istio/ztunnel:1.24.0 + name: v1_24_0.ztunnel version: 0.2.0 diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index b1c824fab..a6fcac53a 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.3 + version: v1.24.0 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -1411,11 +1411,12 @@ spec: type: object type: object version: - default: v1.23.3 + default: v1.24.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index aa11b9131..a56dda1a7 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -9389,8 +9389,9 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 8bffa1a16..e5d1a5ae5 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -80,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.3 + version: v1.24.0 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -9456,11 +9456,12 @@ spec: type: object type: object version: - default: v1.23.3 + default: v1.24.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index 262b35231..b7ebc0e2a 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.3 + version: v1.24.0 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -1411,11 +1411,12 @@ spec: type: object type: object version: - default: v1.23.3 + default: v1.24.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index ce7fe35da..514f6efa7 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -9389,8 +9389,9 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index 283b866bf..ca5e695dd 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -80,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.3 + version: v1.24.0 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -9456,11 +9456,12 @@ spec: type: object type: object version: - default: v1.23.3 + default: v1.24.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. + Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. enum: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 diff --git a/chart/samples/istio-sample-kubernetes.yaml b/chart/samples/istio-sample-kubernetes.yaml index 954b09b6f..ecd0573ed 100644 --- a/chart/samples/istio-sample-kubernetes.yaml +++ b/chart/samples/istio-sample-kubernetes.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.3 + version: v1.24.0 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istio-sample-openshift.yaml b/chart/samples/istio-sample-openshift.yaml index 260fc1ebd..8fe1b3a0c 100644 --- a/chart/samples/istio-sample-openshift.yaml +++ b/chart/samples/istio-sample-openshift.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.3 + version: v1.24.0 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istiocni-sample.yaml b/chart/samples/istiocni-sample.yaml index 12921495a..0a5aa1af8 100644 --- a/chart/samples/istiocni-sample.yaml +++ b/chart/samples/istiocni-sample.yaml @@ -3,5 +3,5 @@ kind: IstioCNI metadata: name: default spec: - version: v1.23.3 + version: v1.24.0 namespace: istio-cni diff --git a/chart/values.yaml b/chart/values.yaml index 098945812..26cdb6b2d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -18,6 +18,7 @@ csv: This version of the operator supports the following Istio versions: + - v1.24.0 - v1.23.3 - v1.23.2 - v1.22.6 diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index 743378852..75f2111d7 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -506,7 +506,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.3 \} | | +| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.24.0 \} | | | `status` _[IstioStatus](#istiostatus)_ | | | | @@ -528,7 +528,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.23.3 \} | | +| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.24.0 \} | | | `status` _[IstioCNIStatus](#istiocnistatus)_ | | | | @@ -624,7 +624,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | v1.23.3 | Enum: [v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | v1.24.0 | Enum: [v1.24.0 v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview remote stable] | | `namespace` _string_ | Namespace to which the Istio CNI component should be installed. | istio-cni | | | `values` _[CNIValues](#cnivalues)_ | Defines the values to be passed to the Helm charts when installing Istio CNI. | | | @@ -852,7 +852,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | | Enum: [v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | | Enum: [v1.24.0 v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -888,7 +888,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | v1.23.3 | Enum: [v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.24.0, v1.23.3, v1.23.2, v1.22.6, v1.22.5, v1.21.6, latest. | v1.24.0 | Enum: [v1.24.0 v1.23.3 v1.23.2 v1.22.6 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview remote stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. Note that this field is immutable. | istio-system | | diff --git a/resources/v1.24.0/charts/base/Chart.yaml b/resources/v1.24.0/charts/base/Chart.yaml new file mode 100644 index 000000000..a6ff731e4 --- /dev/null +++ b/resources/v1.24.0/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.24.0 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.24.0 diff --git a/resources/v1.24.0/charts/base/README.md b/resources/v1.24.0/charts/base/README.md new file mode 100644 index 000000000..ae8f6d5b0 --- /dev/null +++ b/resources/v1.24.0/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.24.0/charts/base/files/crd-all.gen.yaml b/resources/v1.24.0/charts/base/files/crd-all.gen.yaml new file mode 100644 index 000000000..9777d4595 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/crd-all.gen.yaml @@ -0,0 +1,17063 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + failStrategy: + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN + enum: + - FAIL_CLOSE + - FAIL_OPEN + type: string + imagePullPolicy: + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + maximum: 65535 + minimum: 1 + type: integer + required: + - number + type: object + type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map + type: object + type: array + phase: + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 + nullable: true + type: integer + selector: + description: Criteria used to select the specific set of pods/VMs + on which this plugin configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + type: + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK + type: string + url: + description: URL of a Wasm module or OCI container. + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', + ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && + url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', + ''oci'', ''file''])' + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 + type: string + value: + description: Value for the environment variable. + maxLength: 2048 + type: string + valueFrom: + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST + enum: + - INLINE + - HOST + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' + || !has(self.value)' + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - url + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this + filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which + traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by + a proxy when connecting to Istio Pilot. + type: object + proxyVersion: + description: A regular expression in golang regex format + (RE2) that can be used to select proxies using a specific + version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name + for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server + port number for which this route configuration was + generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route + configuration and apply the patch to the virtual host. + properties: + name: + description: The VirtualHosts objects generated + by Istio are named as host:port, where the host + typically corresponds to the VirtualService's + host field or the hostname of a service in the + registry. + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by + default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + minimum: 0 + nullable: true + type: integer + environmentVariables: + additionalProperties: + maxLength: 2048 + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution + != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution + != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) + == ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (has(self.resolution) && self.resolution != ''STATIC'' && self.resolution + != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' + || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? + !has(self.ports) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == + ''/'' || self.substring(7,8) == ''@'') : true' + - message: UDS may not be a dir + rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') + : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) && self.address.startsWith(''unix://'')) + ? !has(self.ports) : true' + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + shortNames: + - ap + singular: authorizationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + required: + - issuer + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : '''') + == ''UPSERT'') ? self.value != '''' : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : '''') + == ''REMOVE'') ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains(''*'')' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + x-kubernetes-validations: + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], + [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/resources/v1.24.0/charts/base/files/profile-ambient.yaml b/resources/v1.24.0/charts/base/files/profile-ambient.yaml new file mode 100644 index 000000000..2805fe46b --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..c8da4d2e1 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.22.yaml b/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..70d8eb40c --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.23.yaml b/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 000000000..636bb6f15 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/base/files/profile-demo.yaml b/resources/v1.24.0/charts/base/files/profile-demo.yaml new file mode 100644 index 000000000..eadbde17c --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-demo.yaml @@ -0,0 +1,90 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.24.0/charts/base/files/profile-platform-k3d.yaml b/resources/v1.24.0/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/v1.24.0/charts/base/files/profile-platform-k3s.yaml b/resources/v1.24.0/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/v1.24.0/charts/base/files/profile-platform-microk8s.yaml b/resources/v1.24.0/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/v1.24.0/charts/base/files/profile-platform-minikube.yaml b/resources/v1.24.0/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/v1.24.0/charts/base/files/profile-platform-openshift.yaml b/resources/v1.24.0/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..8ddc5e165 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/v1.24.0/charts/base/files/profile-preview.yaml b/resources/v1.24.0/charts/base/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.24.0/charts/base/files/profile-remote.yaml b/resources/v1.24.0/charts/base/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/v1.24.0/charts/base/files/profile-stable.yaml b/resources/v1.24.0/charts/base/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.24.0/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.24.0/charts/base/templates/NOTES.txt b/resources/v1.24.0/charts/base/templates/NOTES.txt new file mode 100644 index 000000000..f12616f57 --- /dev/null +++ b/resources/v1.24.0/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.24.0/charts/base/templates/crds.yaml b/resources/v1.24.0/charts/base/templates/crds.yaml new file mode 100644 index 000000000..f7756d132 --- /dev/null +++ b/resources/v1.24.0/charts/base/templates/crds.yaml @@ -0,0 +1,21 @@ +# TODO enableCRDTemplates is now defaulted to true as we +# want to always self-manage CRD upgrades via plain templates, +# so we should remove this flag after a few releases +{{- if .Values.base.enableCRDTemplates }} +{{- $replacement := include "istio.labels" . | fromYaml}} +{{- range $crd := .Files.Get "files/crd-all.gen.yaml"|splitList "\n---\n"}} +{{- $name := (index ($crd |fromYaml) "metadata" "name") }} +{{- if not (has $name $.Values.base.excludedCRDs)}} +{{- $asDict := ($crd | fromYaml) }} +# If we are templating these CRDs, we want to wipe out the "static"/legacy +# labels and replace them with the standard templated istio ones. +# This allows the continued use of `kubectl apply -f crd-all.gen.yaml` +# without any templating+the old labels, if desired. +{{- $_ := set $asDict.metadata "labels" $replacement }} +{{$asDict | toYaml }} +--- +{{- end }} +{{- end }} +{{- else }} +{{ .Files.Get "files/crd-all.gen.yaml" }} +{{- end }} diff --git a/resources/v1.24.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/resources/v1.24.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 000000000..2616b09c9 --- /dev/null +++ b/resources/v1.24.0/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/resources/v1.24.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/resources/v1.24.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..8cb76fd77 --- /dev/null +++ b/resources/v1.24.0/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/resources/v1.24.0/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.24.0/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..ba829a6bf --- /dev/null +++ b/resources/v1.24.0/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/resources/v1.24.0/charts/base/templates/zzz_profile.yaml b/resources/v1.24.0/charts/base/templates/zzz_profile.yaml new file mode 100644 index 000000000..35623047c --- /dev/null +++ b/resources/v1.24.0/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,74 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/resources/v1.24.0/charts/base/values.yaml b/resources/v1.24.0/charts/base/values.yaml new file mode 100644 index 000000000..98c9c3645 --- /dev/null +++ b/resources/v1.24.0/charts/base/values.yaml @@ -0,0 +1,42 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + # Platform where Istio is deployed. Possible values are: "openshift", "gcp". + # An empty value means it is a vanilla Kubernetes distribution, therefore no special + # treatment will be considered. + platform: "" + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/resources/v1.24.0/charts/cni/Chart.yaml b/resources/v1.24.0/charts/cni/Chart.yaml new file mode 100644 index 000000000..e9605e000 --- /dev/null +++ b/resources/v1.24.0/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.24.0 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.24.0 diff --git a/resources/v1.24.0/charts/cni/README.md b/resources/v1.24.0/charts/cni/README.md new file mode 100644 index 000000000..a8b78d5bd --- /dev/null +++ b/resources/v1.24.0/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/resources/v1.24.0/charts/cni/files/profile-ambient.yaml b/resources/v1.24.0/charts/cni/files/profile-ambient.yaml new file mode 100644 index 000000000..2805fe46b --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..c8da4d2e1 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.22.yaml b/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..70d8eb40c --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.23.yaml b/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 000000000..636bb6f15 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/cni/files/profile-demo.yaml b/resources/v1.24.0/charts/cni/files/profile-demo.yaml new file mode 100644 index 000000000..eadbde17c --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-demo.yaml @@ -0,0 +1,90 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.24.0/charts/cni/files/profile-platform-k3d.yaml b/resources/v1.24.0/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/v1.24.0/charts/cni/files/profile-platform-k3s.yaml b/resources/v1.24.0/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/v1.24.0/charts/cni/files/profile-platform-microk8s.yaml b/resources/v1.24.0/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/v1.24.0/charts/cni/files/profile-platform-minikube.yaml b/resources/v1.24.0/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/v1.24.0/charts/cni/files/profile-platform-openshift.yaml b/resources/v1.24.0/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..8ddc5e165 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/v1.24.0/charts/cni/files/profile-preview.yaml b/resources/v1.24.0/charts/cni/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.24.0/charts/cni/files/profile-remote.yaml b/resources/v1.24.0/charts/cni/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/v1.24.0/charts/cni/files/profile-stable.yaml b/resources/v1.24.0/charts/cni/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.24.0/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.24.0/charts/cni/templates/NOTES.txt b/resources/v1.24.0/charts/cni/templates/NOTES.txt new file mode 100644 index 000000000..fb35525b9 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.24.0/charts/cni/templates/_helpers.tpl b/resources/v1.24.0/charts/cni/templates/_helpers.tpl new file mode 100644 index 000000000..73cc17b2f --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/resources/v1.24.0/charts/cni/templates/clusterrole.yaml b/resources/v1.24.0/charts/cni/templates/clusterrole.yaml new file mode 100644 index 000000000..30f159603 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,80 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq (coalesce .Values.platform .Values.global.platform) "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} diff --git a/resources/v1.24.0/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.24.0/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..032b3e3f2 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,66 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/resources/v1.24.0/charts/cni/templates/configmap-cni.yaml b/resources/v1.24.0/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 000000000..39a09fb69 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | default "false" | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | default "false" | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDED_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.chained | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/resources/v1.24.0/charts/cni/templates/daemonset.yaml b/resources/v1.24.0/charts/cni/templates/daemonset.yaml new file mode 100644 index 000000000..f7d2962e2 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/daemonset.yaml @@ -0,0 +1,219 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +{{- $defaultBinDir := + (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + {{if .Values.ambient.enabled }}hostNetwork: true{{ end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair mode to describe the pod's network namespace + # in ambient and repair mode. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.cniBinDir | default $defaultBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ default "/etc/cni/net.d" .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir | default "/var/run/netns" }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/resources/v1.24.0/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.24.0/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..86a2eb7c0 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/resources/v1.24.0/charts/cni/templates/resourcequota.yaml b/resources/v1.24.0/charts/cni/templates/resourcequota.yaml new file mode 100644 index 000000000..9a6d61ff9 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/resources/v1.24.0/charts/cni/templates/serviceaccount.yaml b/resources/v1.24.0/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 000000000..41ac7dd83 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/resources/v1.24.0/charts/cni/templates/zzy_descope_legacy.yaml b/resources/v1.24.0/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 000000000..a9584ac29 --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/resources/v1.24.0/charts/cni/templates/zzz_profile.yaml b/resources/v1.24.0/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 000000000..35623047c --- /dev/null +++ b/resources/v1.24.0/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,74 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/resources/v1.24.0/charts/cni/values.yaml b/resources/v1.24.0/charts/cni/values.yaml new file mode 100644 index 000000000..e25338875 --- /dev/null +++ b/resources/v1.24.0/charts/cni/values.yaml @@ -0,0 +1,149 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + # This directory must exist on the node, if it does not, consult your container runtime + # documentation for the appropriate path. + cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: false + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.24.0 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/resources/v1.24.0/charts/gateway/Chart.yaml b/resources/v1.24.0/charts/gateway/Chart.yaml new file mode 100644 index 000000000..07cf40586 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.24.0 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.24.0 diff --git a/resources/v1.24.0/charts/gateway/README.md b/resources/v1.24.0/charts/gateway/README.md new file mode 100644 index 000000000..5c064d165 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/resources/v1.24.0/charts/gateway/files/profile-ambient.yaml b/resources/v1.24.0/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 000000000..2805fe46b --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..c8da4d2e1 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.22.yaml b/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..70d8eb40c --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.23.yaml b/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 000000000..636bb6f15 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/gateway/files/profile-demo.yaml b/resources/v1.24.0/charts/gateway/files/profile-demo.yaml new file mode 100644 index 000000000..eadbde17c --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,90 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.24.0/charts/gateway/files/profile-platform-k3d.yaml b/resources/v1.24.0/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/v1.24.0/charts/gateway/files/profile-platform-k3s.yaml b/resources/v1.24.0/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/v1.24.0/charts/gateway/files/profile-platform-microk8s.yaml b/resources/v1.24.0/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/v1.24.0/charts/gateway/files/profile-platform-minikube.yaml b/resources/v1.24.0/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/v1.24.0/charts/gateway/files/profile-platform-openshift.yaml b/resources/v1.24.0/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..8ddc5e165 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/v1.24.0/charts/gateway/files/profile-preview.yaml b/resources/v1.24.0/charts/gateway/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.24.0/charts/gateway/files/profile-remote.yaml b/resources/v1.24.0/charts/gateway/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/v1.24.0/charts/gateway/files/profile-stable.yaml b/resources/v1.24.0/charts/gateway/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.24.0/charts/gateway/templates/NOTES.txt b/resources/v1.24.0/charts/gateway/templates/NOTES.txt new file mode 100644 index 000000000..fd0142911 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/resources/v1.24.0/charts/gateway/templates/_helpers.tpl b/resources/v1.24.0/charts/gateway/templates/_helpers.tpl new file mode 100644 index 000000000..e5a0a9b3c --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/gateway/templates/deployment.yaml b/resources/v1.24.0/charts/gateway/templates/deployment.yaml new file mode 100644 index 000000000..e9bfbbd36 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/deployment.yaml @@ -0,0 +1,128 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- with .Values.replicaCount }} + replicas: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq .Values.platform "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/resources/v1.24.0/charts/gateway/templates/hpa.yaml b/resources/v1.24.0/charts/gateway/templates/hpa.yaml new file mode 100644 index 000000000..64ecb6a4c --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.24.0/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..b0155cdf0 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/gateway/templates/role.yaml b/resources/v1.24.0/charts/gateway/templates/role.yaml new file mode 100644 index 000000000..3d1607963 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/resources/v1.24.0/charts/gateway/templates/service.yaml b/resources/v1.24.0/charts/gateway/templates/service.yaml new file mode 100644 index 000000000..25ce3bcb0 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/service.yaml @@ -0,0 +1,66 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/resources/v1.24.0/charts/gateway/templates/serviceaccount.yaml b/resources/v1.24.0/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 000000000..c88afeadd --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/gateway/templates/zzz_profile.yaml b/resources/v1.24.0/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 000000000..35623047c --- /dev/null +++ b/resources/v1.24.0/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,74 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/resources/v1.24.0/charts/gateway/values.schema.json b/resources/v1.24.0/charts/gateway/values.schema.json new file mode 100644 index 000000000..3108259a9 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/values.schema.json @@ -0,0 +1,310 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "additionalProperties": false, + "$defs": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/resources/v1.24.0/charts/gateway/values.yaml b/resources/v1.24.0/charts/gateway/values.yaml new file mode 100644 index 000000000..b02240df1 --- /dev/null +++ b/resources/v1.24.0/charts/gateway/values.yaml @@ -0,0 +1,166 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: {} + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/resources/v1.24.0/charts/istiod/Chart.yaml b/resources/v1.24.0/charts/istiod/Chart.yaml new file mode 100644 index 000000000..25750420a --- /dev/null +++ b/resources/v1.24.0/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.24.0 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.24.0 diff --git a/resources/v1.24.0/charts/istiod/README.md b/resources/v1.24.0/charts/istiod/README.md new file mode 100644 index 000000000..ddbfbc8fe --- /dev/null +++ b/resources/v1.24.0/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/resources/v1.24.0/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.24.0/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 000000000..97ffb71f2 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,250 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.24.0/charts/istiod/files/grpc-agent.yaml b/resources/v1.24.0/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 000000000..7290fcdca --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,310 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.24.0/charts/istiod/files/grpc-simple.yaml b/resources/v1.24.0/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 000000000..9ba0c7a46 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/resources/v1.24.0/charts/istiod/files/injection-template.yaml b/resources/v1.24.0/charts/istiod/files/injection-template.yaml new file mode 100644 index 000000000..0ef948e6a --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/injection-template.yaml @@ -0,0 +1,510 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ .ProxyUID | default "1337" | quote }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsUser: {{ .ProxyUID | default "1337" }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/resources/v1.24.0/charts/istiod/files/kube-gateway.yaml b/resources/v1.24.0/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 000000000..dbe158de1 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,345 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- diff --git a/resources/v1.24.0/charts/istiod/files/profile-ambient.yaml b/resources/v1.24.0/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 000000000..2805fe46b --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..c8da4d2e1 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..70d8eb40c --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.23.yaml b/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 000000000..636bb6f15 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/istiod/files/profile-demo.yaml b/resources/v1.24.0/charts/istiod/files/profile-demo.yaml new file mode 100644 index 000000000..eadbde17c --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,90 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.24.0/charts/istiod/files/profile-platform-k3d.yaml b/resources/v1.24.0/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/v1.24.0/charts/istiod/files/profile-platform-k3s.yaml b/resources/v1.24.0/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/v1.24.0/charts/istiod/files/profile-platform-microk8s.yaml b/resources/v1.24.0/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/v1.24.0/charts/istiod/files/profile-platform-minikube.yaml b/resources/v1.24.0/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/v1.24.0/charts/istiod/files/profile-platform-openshift.yaml b/resources/v1.24.0/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..8ddc5e165 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/v1.24.0/charts/istiod/files/profile-preview.yaml b/resources/v1.24.0/charts/istiod/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.24.0/charts/istiod/files/profile-remote.yaml b/resources/v1.24.0/charts/istiod/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/v1.24.0/charts/istiod/files/profile-stable.yaml b/resources/v1.24.0/charts/istiod/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.24.0/charts/istiod/files/waypoint.yaml b/resources/v1.24.0/charts/istiod/files/waypoint.yaml new file mode 100644 index 000000000..bbe47674b --- /dev/null +++ b/resources/v1.24.0/charts/istiod/files/waypoint.yaml @@ -0,0 +1,333 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- diff --git a/resources/v1.24.0/charts/istiod/templates/NOTES.txt b/resources/v1.24.0/charts/istiod/templates/NOTES.txt new file mode 100644 index 000000000..0d07ea7f4 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/resources/v1.24.0/charts/istiod/templates/_helpers.tpl b/resources/v1.24.0/charts/istiod/templates/_helpers.tpl new file mode 100644 index 000000000..042c92538 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/autoscale.yaml b/resources/v1.24.0/charts/istiod/templates/autoscale.yaml new file mode 100644 index 000000000..363a834f2 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,44 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/clusterrole.yaml b/resources/v1.24.0/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 000000000..0c340b5b3 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,187 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.24.0/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..10781b407 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.24.0/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 000000000..6d4ce6c73 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,19 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/configmap.yaml b/resources/v1.24.0/charts/istiod/templates/configmap.yaml new file mode 100644 index 000000000..f278d9101 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/configmap.yaml @@ -0,0 +1,110 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/deployment.yaml b/resources/v1.24.0/charts/istiod/templates/deployment.yaml new file mode 100644 index 000000000..560933b51 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/deployment.yaml @@ -0,0 +1,292 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/ztunnel" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + configMap: + name: istio-ca-root-cert + defaultMode: 420 + optional: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.24.0/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..b87691742 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,82 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.24.0/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..c1428bf60 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,165 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.24.0/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..8ba27dc0b --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,30 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.24.0/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..dbaa80503 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,62 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/resources/v1.24.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.24.0/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..aea9f01f7 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.24.0/charts/istiod/templates/remote-istiod-endpoints.yaml b/resources/v1.24.0/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 000000000..a6de571da --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/remote-istiod-service.yaml b/resources/v1.24.0/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 000000000..220277dc0 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/revision-tags.yaml b/resources/v1.24.0/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 000000000..31c221d30 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,151 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1"] +{{- end }} +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/role.yaml b/resources/v1.24.0/charts/istiod/templates/role.yaml new file mode 100644 index 000000000..10d89e8d1 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/rolebinding.yaml b/resources/v1.24.0/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 000000000..a42f4ec44 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/service.yaml b/resources/v1.24.0/charts/istiod/templates/service.yaml new file mode 100644 index 000000000..8829f0f43 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/service.yaml @@ -0,0 +1,55 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/serviceaccount.yaml b/resources/v1.24.0/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 000000000..22b841e87 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | indent 4 }} + {{- end }} +{{- end }} +--- diff --git a/resources/v1.24.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.24.0/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..d36eef68e --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.24.0/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..fb28836a0 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/resources/v1.24.0/charts/istiod/templates/zzy_descope_legacy.yaml b/resources/v1.24.0/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 000000000..ae8fced29 --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/resources/v1.24.0/charts/istiod/templates/zzz_profile.yaml b/resources/v1.24.0/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 000000000..35623047c --- /dev/null +++ b/resources/v1.24.0/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,74 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/resources/v1.24.0/charts/istiod/values.yaml b/resources/v1.24.0/charts/istiod/values.yaml new file mode 100644 index 000000000..36150150e --- /dev/null +++ b/resources/v1.24.0/charts/istiod/values.yaml @@ -0,0 +1,539 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.24.0 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} diff --git a/resources/v1.24.0/charts/ztunnel/Chart.yaml b/resources/v1.24.0/charts/ztunnel/Chart.yaml new file mode 100644 index 000000000..27965303c --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.24.0 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.24.0 diff --git a/resources/v1.24.0/charts/ztunnel/README.md b/resources/v1.24.0/charts/ztunnel/README.md new file mode 100644 index 000000000..ffe0b94fe --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 000000000..2805fe46b --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..c8da4d2e1 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..70d8eb40c --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 000000000..636bb6f15 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-demo.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 000000000..eadbde17c --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,90 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-platform-k3d.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-platform-k3s.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-platform-microk8s.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-platform-minikube.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-platform-openshift.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..8ddc5e165 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-preview.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-remote.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/v1.24.0/charts/ztunnel/files/profile-stable.yaml b/resources/v1.24.0/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/resources/v1.24.0/charts/ztunnel/templates/NOTES.txt b/resources/v1.24.0/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 000000000..244f59db0 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.24.0/charts/ztunnel/templates/daemonset.yaml b/resources/v1.24.0/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 000000000..c6e2daf48 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,197 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: ztunnel + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/resources/v1.24.0/charts/ztunnel/templates/rbac.yaml b/resources/v1.24.0/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 000000000..a9ea6fb6a --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: ztunnel + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq .Values.platform "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ztunnel + labels: + app: ztunnel + release: {{ .Release.Name }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ztunnel + labels: + app: ztunnel + release: {{ .Release.Name }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ztunnel +subjects: +- kind: ServiceAccount + name: ztunnel + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/resources/v1.24.0/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.24.0/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 000000000..72d3adc53 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,74 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/resources/v1.24.0/charts/ztunnel/values.yaml b/resources/v1.24.0/charts/ztunnel/values.yaml new file mode 100644 index 000000000..adf98c046 --- /dev/null +++ b/resources/v1.24.0/charts/ztunnel/values.yaml @@ -0,0 +1,98 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: docker.io/istio + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.24.0 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t diff --git a/resources/v1.24.0/profiles/ambient.yaml b/resources/v1.24.0/profiles/ambient.yaml new file mode 100644 index 000000000..ddaaa4415 --- /dev/null +++ b/resources/v1.24.0/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: ambient diff --git a/resources/v1.24.0/profiles/default.yaml b/resources/v1.24.0/profiles/default.yaml new file mode 100644 index 000000000..1f44cc310 --- /dev/null +++ b/resources/v1.24.0/profiles/default.yaml @@ -0,0 +1,10 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true diff --git a/resources/v1.24.0/profiles/demo.yaml b/resources/v1.24.0/profiles/demo.yaml new file mode 100644 index 000000000..fad37e4c2 --- /dev/null +++ b/resources/v1.24.0/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: demo diff --git a/resources/v1.24.0/profiles/empty.yaml b/resources/v1.24.0/profiles/empty.yaml new file mode 100644 index 000000000..01052de7f --- /dev/null +++ b/resources/v1.24.0/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: {} diff --git a/resources/v1.24.0/profiles/openshift-ambient.yaml b/resources/v1.24.0/profiles/openshift-ambient.yaml new file mode 100644 index 000000000..17516cf0e --- /dev/null +++ b/resources/v1.24.0/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/resources/v1.24.0/profiles/openshift.yaml b/resources/v1.24.0/profiles/openshift.yaml new file mode 100644 index 000000000..a34dfe528 --- /dev/null +++ b/resources/v1.24.0/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/resources/v1.24.0/profiles/preview.yaml b/resources/v1.24.0/profiles/preview.yaml new file mode 100644 index 000000000..485687d6a --- /dev/null +++ b/resources/v1.24.0/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: preview diff --git a/resources/v1.24.0/profiles/remote.yaml b/resources/v1.24.0/profiles/remote.yaml new file mode 100644 index 000000000..fcd281aa0 --- /dev/null +++ b/resources/v1.24.0/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: remote diff --git a/resources/v1.24.0/profiles/stable.yaml b/resources/v1.24.0/profiles/stable.yaml new file mode 100644 index 000000000..594344792 --- /dev/null +++ b/resources/v1.24.0/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +spec: + values: + profile: stable diff --git a/versions.yaml b/versions.yaml index 3924e7f09..1f36e6a98 100644 --- a/versions.yaml +++ b/versions.yaml @@ -11,6 +11,16 @@ # go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), # as well as all the Istio CRDs (e.g. VirtualService). versions: + - name: v1.24.0 + version: 1.24.0 + repo: https://github.com/istio/istio + commit: 1.24.0 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.24.0.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.24.0.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.24.0.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.24.0.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.24.0.tgz - name: v1.23.3 version: 1.23.3 repo: https://github.com/istio/istio